052fd127af44991e536608c54b1b8442

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2026-Feb-14 08:39:54
Detected languages English - United States
TLS Callbacks 1 callback(s) detected.

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • github.com
  • https://github.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Uses known Diffie-Helman primes
Uses known Mersenne Twister constants
Microsoft's Cryptography API
Suspicious The PE is possibly packed. Unusual section name found: .gxfg
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryExW
  • LoadLibraryW
 Possibly launches other programs:
  • CreateProcessA
 Uses Microsoft's cryptographic API:
  • CryptAcquireContextW
  • CryptCreateHash
  • CryptDecrypt
  • CryptDestroyHash
  • CryptDestroyKey
  • CryptEnumProvidersW
  • CryptExportKey
  • CryptGenRandom
  • CryptGetProvParam
  • CryptGetUserKey
  • CryptReleaseContext
  • CryptSetHashParam
  • CryptSignHashW
 Leverages the raw socket API to access the Internet:
  • GetAddrInfoExCancel
  • GetAddrInfoExW
  • WSACleanup
  • WSAGetLastError
  • WSAIoctl
  • WSAPoll
  • WSASetLastError
  • WSASocketA
  • WSASocketW
  • WSAStartup
  • accept
  • bind
  • closesocket
  • connect
  • freeaddrinfo
  • getaddrinfo
  • gethostbyaddr
  • gethostbyname
  • gethostname
  • getnameinfo
  • getpeername
  • getservbyname
  • getservbyport
  • getsockname
  • getsockopt
  • htonl
  • htons
  • inet_addr
  • inet_ntoa
  • inet_pton
  • ioctlsocket
  • listen
  • ntohs
  • recv
  • recvfrom
  • select
  • send
  • sendto
  • setsockopt
  • shutdown
  • socket
 Enumerates local disk drives:
  • GetDriveTypeW
 Interacts with the certificate store:
  • CertOpenStore
  • CertOpenSystemStoreW
Suspicious VirusTotal score: 1/68 (Scanned on 2026-02-17 06:50:01) DrWeb: BackDoor.Siggen2.5711

Hashes

MD5 052fd127af44991e536608c54b1b8442
SHA1 53c448189543a855c2a209bf0c0b5d39152b0ba5
SHA256 1ac2c21c314bc1554ec0074adeedf1900b6be0da5c07359568c33a5cbd876161
SHA3 7f9ff37b6c59b0e35c5ce582aadf26fd3f4eb45d4f56d9d17106c77bcf1a3f72
SSDeep 49152:LeOh26uJ2VAGtlqF5VwASO0Ts4qXorNIWAUvssDvPdrrFwMVl8nWqoCW9JHBTg0:amfYsNIWg4ij79K+EyGuZiwo+0jbag
Imports Hash d16dcf9a20f4211917fe64ac6e9471df

DOS Header

e_magic MZ
e_cblp 0x78
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x78

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 9
TimeDateStamp 2026-Feb-14 08:39:54
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x45d600
SizeOfInitializedData 0x1bc800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000428A08 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x624000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6b5f0407f4ab4986e3c564891ce56a7c
SHA1 ce080e2c9848a79d29b7e4b50de3441391167fa9
SHA256 bf95300fb537e6416274729b2d475c3db8c17c58b7b942cf5e6fc20c5345f5d7
SHA3 a598fb3ba8a1fd6bbf40e916d6dddfa6eb37e9ef54f6e8854c301179d3fdd3af
VirtualSize 0x45d5c6
VirtualAddress 0x1000
SizeOfRawData 0x45d600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.70162

.rdata

MD5 128fef2b5528626ba1ed82c36cfd1497
SHA1 2641d22911ef4a5c24f97c6759eeb9917555549e
SHA256 2d42ac4cf0df5683a1d6fd4e0e49242c600cfb662bd07306f4f1d16a44358fe0
SHA3 502e4fa6b8db2dcb69de7423d7a91d69c57c335bf70689d1ee6260cbdb3b1900
VirtualSize 0x16494c
VirtualAddress 0x45f000
SizeOfRawData 0x164a00
PointerToRawData 0x45da00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.65812

.data

MD5 e5aa21a197d369dd816958fc5825ae63
SHA1 e1b98acd8d50efe3ad0e8027e20c267c6efce5a3
SHA256 2b8fcc75ae936ec1de9479c1ab8fd5aa810cc36d79036f0d47f8106423b0e211
SHA3 bce864d39f8d64cc79038fd1c9b71cf6ea71d08ae8c0a935f3840b9d7b08f016
VirtualSize 0x1a438
VirtualAddress 0x5c4000
SizeOfRawData 0x15e00
PointerToRawData 0x5c2400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.13844

.pdata

MD5 3ac7f896d507e5ddb178dafc825022bb
SHA1 04838e77f7a3d90d2d104cafa42dc9b252dfae15
SHA256 ca4289a7f3beccef36a594ca8bd75fadd014d49c68199e79a0e943bcf5788cf6
SHA3 c3bb011f87ad09aeaece9c7437f1ec5bd908dd5b74baa451ab5441f33f828ff7
VirtualSize 0x2f154
VirtualAddress 0x5df000
SizeOfRawData 0x2f200
PointerToRawData 0x5d8200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.30953

.gxfg

MD5 8d4554a0336d44087c61562ede1c3acc
SHA1 9f77fa4b7bb0ed089417e3570857f7f47e0825e4
SHA256 6b4607e9eff6aae991b95e3f648dcdb76508958fe4002658f20c647f6511bd3c
SHA3 f4559ce161baf0dde3e88be6cc30bdfaad4a925b80eae365687f327aede5e546
VirtualSize 0x2ee0
VirtualAddress 0x60f000
SizeOfRawData 0x3000
PointerToRawData 0x607400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.15345

.tls

MD5 1404500cbb2fcfbac634b5ccd84c81ad
SHA1 16c6fe32b97b4792fb806269eb0ee79f42d55965
SHA256 a3d8569a129217821088204ab82cae6de26134a972fb93a0aea8839597b79add
SHA3 dc101cabc43e59e3dc5d2109a743637079de49883a97de8c45156274ea362f0d
VirtualSize 0x1811
VirtualAddress 0x612000
SizeOfRawData 0x1a00
PointerToRawData 0x60a400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.746941

_RDATA

MD5 e6e713335ccc6c90572977ff8b250c21
SHA1 3942531e791d20a13763cb6b33d936bac7afd17f
SHA256 14175e481a406756a23d0689b45b0592ee2321ecfa56a5eff9e3a21dccad6364
SHA3 525f93b6593f5b9d2ae149674da879da34f88a79dd5204b66ec1dc193eed84b4
VirtualSize 0x1f4
VirtualAddress 0x614000
SizeOfRawData 0x200
PointerToRawData 0x60be00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.14763

.rsrc

MD5 5b226145aa925a9e5f74e23da1a610b5
SHA1 7ff87445f6d30581404374f3c7102ae39e4a2abf
SHA256 cd801677f5024d01dcca43d1fe29ef6cf5f05dd18427b6beb111c22208932515
SHA3 bf9fade940ffc7478b04b212f3bb62e15ac43e14f499f3030b820d82463b9378
VirtualSize 0x1d8
VirtualAddress 0x615000
SizeOfRawData 0x200
PointerToRawData 0x60c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.59907

.reloc

MD5 340bdae295444cafa91ba9361687e2bf
SHA1 92f83930cb1615bf3a63b9e902d5c9ba0fff2db9
SHA256 5d9ae9a1ed6774ae1b18f86983b3b0ceba26457a44293684d43a29920e6a10e0
SHA3 0fa2f0167b348f738c827808f9aaca8f07d4ed89e5fd357ee921afe3cb9ec8e7
VirtualSize 0xdf70
VirtualAddress 0x616000
SizeOfRawData 0xe000
PointerToRawData 0x60c200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.43897

Imports

IPHLPAPI.DLL GetNetworkParams
CRYPT32.dll CertCloseStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenStore
CertOpenSystemStoreW
WS2_32.dll GetAddrInfoExCancel
GetAddrInfoExW
WSACleanup
WSAGetLastError
WSAIoctl
WSAPoll
WSASetLastError
WSASocketA
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyaddr
gethostbyname
gethostname
getnameinfo
getpeername
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
inet_pton
ioctlsocket
listen
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket
KERNEL32.dll AcquireSRWLockExclusive
AcquireSRWLockShared
CloseHandle
CompareStringEx
CompareStringW
ConvertFiberToThread
ConvertThreadToFiberEx
CopyFileW
CreateDirectoryW
CreateEventW
CreateFiberEx
CreateFile2
CreateFileMappingFromApp
CreateFileW
CreateHardLinkW
CreatePipe
CreateProcessA
CreateSemaphoreA
CreateSymbolicLinkW
CreateThread
DecodePointer
DeleteCriticalSection
DeleteFiber
DeviceIoControl
DisableThreadLibraryCalls
EncodePointer
EnterCriticalSection
EnumSystemLocalesW
ExitProcess
ExitThread
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindFirstFileW
FindNextFileW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FormatMessageA
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryAndExitThread
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameExA
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesExW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetLocaleInfoEx
GetLocaleInfoW
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOEMCP
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetSystemTimeAsFileTime
GetTimeFormatW
GetTimeZoneInformation
GetUserDefaultLCID
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitOnceBeginInitialize
InitOnceComplete
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSListHead
InitializeSRWLock
InterlockedFlushSList
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
LCMapStringEx
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LocalFree
MapViewOfFileFromApp
MultiByteToWideChar
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
QueueUserWorkItem
RaiseException
ReadConsoleA
ReadConsoleW
ReadFile
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
RtlCaptureContext
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwindEx
RtlVirtualUnwind
SetConsoleCP
SetConsoleCtrlHandler
SetConsoleMode
SetConsoleOutputCP
SetEndOfFile
SetEnvironmentVariableW
SetFileInformationByHandle
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableSRW
SwitchToFiber
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
UnhandledExceptionFilter
UnmapViewOfFile
VirtualFree
WaitForSingleObject
WaitForSingleObjectEx
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteConsoleW
WriteFile
ADVAPI32.dll CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptDestroyHash
CryptDestroyKey
CryptEnumProvidersW
CryptExportKey
CryptGenRandom
CryptGetProvParam
CryptGetUserKey
CryptReleaseContext
CryptSetHashParam
CryptSignHashW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
USER32.dll GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW

Delayed Imports

DllCanUnloadNow

Ordinal 1
Address 0x582682
ForwardName \\.\GLOBALROOT\SystemRoot\System32\Windows.StateRepositoryPS.dll.DllCanUnloadNow

DllGetClassObject

Ordinal 2
Address 0x5826d3
ForwardName \\.\GLOBALROOT\SystemRoot\System32\Windows.StateRepositoryPS.dll.DllGetClassObject

DllMain

Ordinal 3
Address 0x41110

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x173
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.86408
MD5 ec99e449d59f4ea12cb3cacd67758333
SHA1 a937a8ee39e3f34f965272e65ec222ee180409b7
SHA256 21b94da3059888ac59c765033b2285253f7a1d7308a412630a001af11474f478
SHA3 e35f054b574a0d6d517272f0c24fc14e8dc594346ca8196a070fd4d8f2abe5e8

Version Info

TLS Callbacks

StartAddressOfRawData 0x180612000
EndAddressOfRawData 0x180613810
AddressOfIndex 0x1805d9f28
AddressOfCallbacks 0x1805825c0
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_16BYTES
Callbacks 0x00000001801D3740

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1805d2240

RICH Header

Errors