Manalyze report for e372d1ba2d3a1936e3e8cdd3febf2038

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1970-Jan-01 00:00:00

Plugin Output

Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `Unusual section name found: UPX2` `The PE only has 6 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Leverages the raw socket API to access the Internet: WSAGetOverlappedResult`
Malicious	VirusTotal score: 47/71 (Scanned on 2023-05-26 18:26:42)	`Lionic: Riskware.Win32.BitCoinMiner.1!c` `DrWeb: Trojan.BtcMine.3528` `MicroWorld-eScan: Trojan.GenericKDS.61000609` `ALYac: Trojan.GenericKDS.61000609` `Cylance: unsafe` `Zillya: Trojan.CoinMiner.Win32.45920` `Sangfor: Trojan.Win32.Save.a` `K7AntiVirus: Trojan ( 0057e24a1 )` `Alibaba: RiskWare:Win32/BitCoinMiner.182e5ed5` `K7GW: Trojan ( 0057e24a1 )` `CrowdStrike: win/malicious_confidence_60% (W)` `Cyren: W64/ABMiner.YUAA-6247` `Symantec: ML.Attribute.HighConfidence` `Elastic: malicious (moderate confidence)` `ESET-NOD32: a variant of WinGo/CoinMiner.P` `APEX: Malicious` `Kaspersky: not-a-virus:RiskTool.Win32.BitCoinMiner.omrq` `BitDefender: Trojan.GenericKDS.61000609` `Avast: Win32:Miner-HK [Trj]` `Rising: HackTool.XMRMiner!1.C2EC (CLOUD)` `Emsisoft: Trojan.GenericKDS.61000609 (B)` `VIPRE: Trojan.GenericKDS.61000609` `TrendMicro: TROJ_GEN.R002C0WHJ22` `McAfee-GW-Edition: BehavesLike.Win64.Trickbot.vc` `FireEye: Trojan.GenericKDS.61000609` `Sophos: Generic Reputation PUA (PUA)` `Ikarus: Trojan.WinGo.Coinminer` `Jiangmin: RiskTool.BitCoinMiner.atkt` `Webroot: W32.Trojan.GenKDS` `Google: Detected` `Antiy-AVL: Trojan/Win32.CoinMiner` `Gridinsoft: Ransom.Win64.TrickBot.oa!s2` `Arcabit: Trojan.GenericS.D3A2CBA1` `ZoneAlarm: not-a-virus:RiskTool.Win32.BitCoinMiner.omrq` `GData: Trojan.GenericKDS.61000609` `Cynet: Malicious (score: 100)` `McAfee: Artemis!E372D1BA2D3A` `MAX: malware (ai score=99)` `Malwarebytes: RiskWare.CoinMiner` `TrendMicro-HouseCall: TROJ_GEN.R002C0WHJ22` `Tencent: Win32.Risktool.Bitcoinminer.Jjgl` `Yandex: Riskware.BitCoinMiner!vIJir8tk1Bs` `SentinelOne: Static AI - Suspicious PE` `MaxSecure: Trojan.Malware.11387115.susgen` `Fortinet: W32/PossibleThreat` `AVG: Win32:Miner-HK [Trj]` `DeepInstinct: MALICIOUS`

Hashes

MD5	`e372d1ba2d3a1936e3e8cdd3febf2038`
SHA1	`06ed6e0be895945bc78adac9aa0283e50fc93349`
SHA256	`137197636e52f813606d4d979a270447888336d3403d3c94fe39310a903a59f9`
SHA3	`bc7383a5b4eeaadaac4f62a7c34b66bd66ef8b20e1eaeb82098ccd8ead0807f6`
SSDeep	`49152:f5UX4uCXsw6rBbn0zdkfnDV/4TE6/lIKiebQ+LTq4ujYv9XiwuPNhO8NX:f5UX4JF6rBYzyfGTJ/lIVebQ+L2ZsVS`
Imports Hash	`406f4cbdf82bde91761650ca44a3831a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0x4`
e_cparhdr	`0`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x9d5e00`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0x2d6000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0xe57000`
AddressOfEntryPoint	`0x000000000112CDE0 (Section: UPX1)`
BaseOfCode	`0xe58000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x112f000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xe57000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`cf23c7f6eface392dbffd6f23ab40c21`
SHA1	`5640e27377eea4fec68fccc7de3d04213cd14336`
SHA256	`2082137f907650dad729f9906a86dbcf45cc329754bbd10dc82723eb90666c71`
SHA3	`f0b62e674764b8e471c8b8139d61948537eb6567ba680d6710fa897ab33a8d83`
VirtualSize	`0x2d6000`
VirtualAddress	`0xe58000`
SizeOfRawData	`0x2d5a00`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99994`

UPX2

MD5	`43f33fbdd8f8efbbf6ac94c18d81fa4b`
SHA1	`711d904cf832fcd727a1cff2ebfba17ed737e4bd`
SHA256	`4f9748c9ecb9f932f0609a15e9396749b3c81be9efea1557b6886f0b23276549`
SHA3	`d44174e90fccf6e999dec38ca0c69ecbbfee5fbbb04d576680fbd75bc9796f1a`
VirtualSize	`0x1000`
VirtualAddress	`0x112e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2d5c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.54809`

Imports

KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
winmm.dll	`timeEndPeriod`
ws2_32.dll	`WSAGetOverlappedResult`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!