Manalyze report for 0031c1a23edb31b70352af09dbc25678

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Oct-07 14:06:27
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with Themida	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot` `The PE only has 5 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: FindWindowA` `Can access the registry: RegCloseKey` `Leverages the raw socket API to access the Internet: htons`
Malicious	VirusTotal score: 21/65 (Scanned on 2021-10-15 22:36:38)	`Elastic: malicious (high confidence)` `Sangfor: Suspicious.Win32.Save.a` `CrowdStrike: win/malicious_confidence_60% (D)` `BitDefender: Gen:Variant.Razy.611894` `Cyren: W64/Trojan.GJD.gen!Eldorado` `Cynet: Malicious (score: 100)` `MicroWorld-eScan: Gen:Variant.Razy.611894` `Ad-Aware: Gen:Variant.Razy.611894` `Emsisoft: Gen:Variant.Razy.611894 (B)` `McAfee-GW-Edition: BehavesLike.Win64.PWSZbot.rc` `SentinelOne: Static AI - Malicious PE` `FireEye: Generic.mg.0031c1a23edb31b7` `Sophos: Generic ML PUA (PUA)` `APEX: Malicious` `GData: Gen:Variant.Razy.611894` `Avira: HEUR/AGEN.1141501` `Gridinsoft: Trojan.Heur!.032100A3` `ALYac: Gen:Variant.Razy.611894` `MAX: malware (ai score=86)` `Cylance: Unsafe` `MaxSecure: Trojan.Malware.300983.susgen`

Hashes

MD5	`0031c1a23edb31b70352af09dbc25678`
SHA1	`553d403399a4acd1777efd61655ad5d059453b47`
SHA256	`5f4434ac3858258e1c910f0323685557a4d047329524b9ed1bb01ab5a7ada243`
SHA3	`c6b9e15cf11cfbad412cf0a89affaf034717ea033683048978f0a9fa2a6f3002`
SSDeep	`196608:u3bhylOawaT3PdehGr0lq8nhbDz00+9fpJ2NTJ62Z9:u3aTTfdeeKn5/Z+D0NlFf`
Imports Hash	`f28a8a08abfe0ce38ea975c4b8d28208`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`13`
TimeDateStamp	2021-Oct-07 14:06:27
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2ac00`
SizeOfInitializedData	`0x23400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000D9E058 (Section: .boot)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x15c3000`
SizeOfHeaders	`0x600`
Checksum	`0x8588d1`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`9ef3956172fe8bb3c4a98d4969173d09`
SHA1	`be95ecd259d8981c714d68f1c018184bc530690f`
SHA256	`5c81ed2333975a2ce06489512076ffc96c7ba24d57a60def2c9498b6d23c219e`
SHA3	`280af6e2ca45bde70cb0802a1cbe7450d715058acbc7c22eb899f81e91b7e3fb`
VirtualSize	`0x2aa50`
VirtualAddress	`0x1000`
SizeOfRawData	`0x16600`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.97701`

(#2)

MD5	`3cf23e69ac3855d79eded7a1b197e042`
SHA1	`b95ced92c8c112d5f712adcc28cb7442678db2c3`
SHA256	`ceff2aa010899728d6d21e31c5324a56006a72a49e976964dcfe2fdedbe1b8af`
SHA3	`9294036514d32b66255513055e766533d912029bf3b1c6fd513e1c1c0f5d91e9`
VirtualSize	`0x1cc8e`
VirtualAddress	`0x2c000`
SizeOfRawData	`0xdc00`
PointerToRawData	`0x16c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.9537`

(#3)

MD5	`ac714f8441da02a29dbf0c664a0ac69f`
SHA1	`8586f9cca15c920a08f3ff42e952d340a26462a5`
SHA256	`dc97307e6dea3299040e5d23a04f6f115d9288219dc565583a61db1c0e384969`
SHA3	`a2983394c35bb4d69a336643e6f59bd4f8902169120760b6d6708bdce32095a0`
VirtualSize	`0x314c`
VirtualAddress	`0x49000`
SizeOfRawData	`0x400`
PointerToRawData	`0x24800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.54894`

(#4)

MD5	`e18832728f785d25d42c48cc873b0649`
SHA1	`3808f05bf4126ba0d0df6e0c815cdd8ffcec6396`
SHA256	`a39258b437428d5c5978b423a863c2f171e87ebc5f09dac2104eb0a3570f3584`
SHA3	`43c92e310eadecace6e8cc259592602742f2fe94d536e4ad8be4fd860fea44af`
VirtualSize	`0x258c`
VirtualAddress	`0x4d000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x24c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.60727`

(#5)

MD5	`4d38ca7986a53f8f252640dc9e38b955`
SHA1	`97b9c44c6921c1725cedfd9c7c393a11e1fb5f9f`
SHA256	`37792aa1e78f11d1d513eb720a546308654d203336ab24e4ed22906255a86b35`
SHA3	`f312061c9a089f4dc66fe3df5883d830b829875676cb277ac6ba05de3a99869b`
VirtualSize	`0xf4`
VirtualAddress	`0x50000`
SizeOfRawData	`0x200`
PointerToRawData	`0x26200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.44417`

(#6)

MD5	`53d5921f26cb1a2ffac65ade09999c5a`
SHA1	`e97641c710414174f63ea18cce9f6d09091551db`
SHA256	`3a0c670d86c0f751153060f6c8b59df8793d9c14905c1cc7f3fb1d3ff879586f`
SHA3	`230c8636fad0f4337fda351339652b0dd7fbaa6a26a42218e94d3658bfbb0684`
VirtualSize	`0x1e8`
VirtualAddress	`0x51000`
SizeOfRawData	`0x200`
PointerToRawData	`0x26400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.08011`

(#7)

MD5	`fd288ad66538145b3117a04ac9561ba1`
SHA1	`b68f62a5182d2f431d91f5df035f7f74e3ebb80f`
SHA256	`a5cba3dc5d6c575b32f8847fa3b80fea85f323a3658bee8f359ba2e5bb910941`
SHA3	`bcdc54e17654e1e14281df4c1d2ebdd221c15db2be587b0902f6f432e3869dac`
VirtualSize	`0x970`
VirtualAddress	`0x52000`
SizeOfRawData	`0x800`
PointerToRawData	`0x26600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.70648`

.idata

MD5	`e50de9f8f9748642fb44a1c58de72c49`
SHA1	`ed999bcd6aeb46b58448c0564454af5232c5cee4`
SHA256	`f16b48e62a3800720810fbaaf35a9021c1d9fce61a8dc17076e326ecad54e1e7`
SHA3	`9ddf193d6d0d725f31a6e7d035c735bd7f7e3367a13e080387426b519771c17a`
VirtualSize	`0x1000`
VirtualAddress	`0x53000`
SizeOfRawData	`0x200`
PointerToRawData	`0x26e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.3796`

.tls

MD5	`206bf7f84b6763dc5b8945bbe6d15f80`
SHA1	`2965fea07c65f42763126a0225f27e07896c02b1`
SHA256	`b691e7cf5dcd3f34918d6c64e8a46c88e2c0a32cb8bdbfd7f90eab268b8750e1`
SHA3	`b47bab9559b9ab4c3a0def8519654499540411bd1e46d1eed4bafa217435674f`
VirtualSize	`0x1000`
VirtualAddress	`0x54000`
SizeOfRawData	`0x200`
PointerToRawData	`0x27000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.27285`

.rsrc

MD5	`42d8fed9800d70070ab4e36d60b595bc`
SHA1	`3ca3f254c25cf97e07121a2c2163c9d37c633d2d`
SHA256	`cc70194dc80144a2cf02b8db3f162ab7e69ff4e7a2c19c310f46e1619eef65af`
SHA3	`426e5b7ad9a373e478306a03eb7dc20bf0983d7db2dfcf69ea44e7c5f7e49c1e`
VirtualSize	`0x1000`
VirtualAddress	`0x55000`
SizeOfRawData	`0x200`
PointerToRawData	`0x27200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.76666`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xd48000`
VirtualAddress	`0x56000`
SizeOfRawData	`0`
PointerToRawData	`0x27400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`f7ae1ae56009dcdb77d2206ef6121025`
SHA1	`3bc55c533d68777bc1de44572d5e6332c42debe8`
SHA256	`cf2308d64aa5004b827cfc72c74e0935637129a7bbe9cd4195f17437f7bb2e26`
SHA3	`f337e8b00cbb728d90edc1da4cf3971cc8034be6e70684fda51853bdc4682e0b`
VirtualSize	`0x824000`
VirtualAddress	`0xd9e000`
SizeOfRawData	`0x824000`
PointerToRawData	`0x27400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.96395`

.reloc

MD5	`ad6d1ab6301aec66f40363b6c0b36966`
SHA1	`6cf05c47efb007cbe7eae15f6332130fb6c916a5`
SHA256	`ab8e4d20cfacad96e4ceb4b62c883da326dd1935bf28aa6dd5dd5f8c44885947`
SHA3	`a4e53236fbf9990ffa6f0c9918c9f66ab7abc89f9568fe1895e217f339308bf5`
VirtualSize	`0x1000`
VirtualAddress	`0x15c2000`
SizeOfRawData	`0x10`
PointerToRawData	`0x84b400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.4746`

Imports

kernel32.dll	`GetModuleHandleA`
WS2_32.dll	`htons`
USER32.dll	`FindWindowA`
ADVAPI32.dll	`RegCloseKey`
ntdll.dll	`RtlInitUnicodeString`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x3da6c6e0`
Unmarked objects	`0`
ASM objects (27412)	`10`
C objects (27412)	`19`
C++ objects (27412)	`177`
C objects (30034)	`16`
ASM objects (30034)	`10`
C++ objects (30034)	`89`
Imports (27412)	`11`
Total imports	`183`
265 (30133)	`6`
Resource objects (30133)	`1`
Linker (30133)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .themida has a size of 0!