Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2024-Apr-27 18:54:12 |
Detected languages |
English - United States
|
Info | Interesting strings found in the binary: |
Contains domain names:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to SHA256 Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. |
Unusual section name found: .KrmpBin
Section .KrmpBin is both writable and executable. Unusual section name found: .KrmpSec Unusual section name found: .gehcont Unusual section name found: .voltbl Unusual section name found: .KrmpVmi Section .KrmpVmi is both writable and executable. |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Suspicious | No VirusTotal score. | This file has never been scanned on VirusTotal. |
e_magic | MZ |
---|---|
e_cblp | 0x78 |
e_cp | 0x1 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0 |
e_ss | 0 |
e_sp | 0 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x78 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 14 |
TimeDateStamp | 2024-Apr-27 18:54:12 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0xb8c00 |
SizeOfInitializedData | 0x45200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000008B920 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x259000 |
SizeOfHeaders | 0x400 |
Checksum | 0x250395 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
AcquireSRWLockExclusive
CloseHandle CompareStringEx CompareStringW CreateEventW CreateFileW CreateThread DecodePointer DeleteCriticalSection DeleteFileW EncodePointer EnterCriticalSection EnumSystemLocalesW ExitProcess ExitThread FileTimeToSystemTime FindClose FindFirstFileExW FindNextFileW FlushFileBuffers FormatMessageW FreeEnvironmentStringsW FreeLibrary FreeLibraryAndExitThread GetACP GetCPInfo GetCommandLineA GetCommandLineW GetConsoleMode GetConsoleOutputCP GetCurrentDirectoryW GetCurrentProcess GetCurrentProcessId GetCurrentThreadId GetDateFormatW GetDriveTypeW GetEnvironmentStringsW GetEnvironmentVariableA GetExitCodeThread GetFileAttributesExW GetFileInformationByHandle GetFileSizeEx GetFileType GetFullPathNameW GetLastError GetLocaleInfoW GetModuleFileNameW GetModuleHandleA GetModuleHandleExW GetModuleHandleW GetOEMCP GetProcAddress GetProcessHeap GetStartupInfoW GetStdHandle GetStringTypeW GetSystemDirectoryW GetSystemTimeAsFileTime GetTickCount GetTimeFormatW GetTimeZoneInformation GetUserDefaultLCID HeapAlloc HeapFree HeapReAlloc HeapSize InitializeCriticalSectionAndSpinCount InitializeCriticalSectionEx InitializeSListHead IsDebuggerPresent IsProcessorFeaturePresent IsValidCodePage IsValidLocale LCMapStringEx LCMapStringW LeaveCriticalSection LoadLibraryA LoadLibraryExW LoadLibraryW MoveFileExW MultiByteToWideChar PeekNamedPipe QueryPerformanceCounter QueryPerformanceFrequency RaiseException ReadConsoleW ReadFile ReleaseSRWLockExclusive ResetEvent RtlCaptureContext RtlLookupFunctionEntry RtlPcToFileHeader RtlUnwind RtlUnwindEx RtlVirtualUnwind SetEndOfFile SetEnvironmentVariableW SetEvent SetFilePointerEx SetLastError SetStdHandle SetUnhandledExceptionFilter Sleep SleepEx SystemTimeToTzSpecificLocalTime TerminateProcess TlsAlloc TlsFree TlsGetValue TlsSetValue UnhandledExceptionFilter VerSetConditionMask VerifyVersionInfoW VirtualAlloc VirtualProtect WaitForMultipleObjects WaitForSingleObjectEx WideCharToMultiByte WriteConsoleW WriteFile |
---|---|
ADVAPI32.dll |
AdjustTokenPrivileges
CryptAcquireContextW CryptCreateHash CryptDestroyHash CryptDestroyKey CryptEncrypt CryptGetHashParam CryptHashData CryptImportKey CryptReleaseContext LookupPrivilegeValueW OpenProcessToken |
WS2_32.dll |
WSACleanup
WSACloseEvent WSACreateEvent WSAEnumNetworkEvents WSAEventSelect WSAGetLastError WSAIoctl WSAResetEvent WSASetLastError WSAStartup WSAWaitForMultipleEvents __WSAFDIsSet accept bind closesocket connect freeaddrinfo getaddrinfo gethostname getpeername getsockname getsockopt htonl htons inet_ntop inet_pton ioctlsocket listen ntohs recv recvfrom select send sendto setsockopt socket |
CRYPT32.dll |
CertAddCertificateContextToStore
CertCloseStore CertCreateCertificateChainEngine CertEnumCertificatesInStore CertFindCertificateInStore CertFindExtension CertFreeCertificateChain CertFreeCertificateChainEngine CertFreeCertificateContext CertGetCertificateChain CertGetNameStringW CertOpenStore CryptDecodeObjectEx CryptQueryObject CryptStringToBinaryW PFXImportCertStore |
Normaliz.dll |
IdnToAscii
|
bcrypt.dll |
BCryptGenRandom
|
StartAddressOfRawData | 0x140112000 |
---|---|
EndAddressOfRawData | 0x140112008 |
AddressOfIndex | 0x1400f4238 |
AddressOfCallbacks | 0x1400dfd28 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_4BYTES
|
Callbacks | (EMPTY) |
Size | 0x138 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x1400f2e28 |