Manalyze report for 0d4a1006c03c5a7043de3b0cf904d169

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1970-Jan-01 00:00:00
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: /4` `Unusual section name found: /19` `Unusual section name found: /32` `Unusual section name found: /46` `Unusual section name found: /63` `Unusual section name found: /80` `Unusual section name found: /99` `Unusual section name found: /112` `Unusual section name found: /124` `Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Leverages the raw socket API to access the Internet: WSAGetOverlappedResult`
Malicious	VirusTotal score: 3/65 (Scanned on 2018-11-08 20:45:55)	`Cylance: Unsafe` `Jiangmin: Backdoor.Gorsh.c` `CrowdStrike: malicious_confidence_80% (W)`

Hashes

MD5	`0d4a1006c03c5a7043de3b0cf904d169`
SHA1	`32cadcb447cbb5cbed884a27352836d7fac60671`
SHA256	`5892df42822a84947f4f3d2753631bf66db814417f49595ff95c37bea0dd3871`
SHA3	`8dcd44d708238e6984b119e509338376dd97637c41bdca2125d8d79db05f07db`
SSDeep	`24576:6WAVE2fjGCFrBeqsIJNxzMq1KjmOBK5m1N8/n+:6WAfjG+rBe7IJNxzO6fY8`
Imports Hash	`1c2a6fbef41572f4c9ce8acb5a63cde7`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0x4`
e_cparhdr	`0`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`14`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x1f8a00`
NumberOfSymbols	`3634`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0xa6600`
SizeOfInitializedData	`0x13600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000052E60 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x243000`
SizeOfHeaders	`0x600`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ba8bad982fa8c9ccb99d664499dc0852`
SHA1	`5490fae3f1aeebae91738c96eb28804bfaa1c9fc`
SHA256	`18e9f6ecd369bf0aacd58b1fb3a7b6b376bed6c593eeb6eb3c5103cb131dcc65`
SHA3	`9646acc759660a6e81c228ff661c43eb4f2e80c1e9f37f9163e0d50de753c296`
VirtualSize	`0xa64dd`
VirtualAddress	`0x1000`
SizeOfRawData	`0xa6600`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.8665`

.rdata

MD5	`ec367b42c0e4f5f00031089dd340db13`
SHA1	`ca754bd02d93c9f95efd6d27b51bf2e82eb630dc`
SHA256	`7f9f813287b3729ecd938b2c81dfd3094332993d57577b8160b8042ae0e52b06`
SHA3	`010ffa5e15e203894c28ba669a4b7e5a1b39e86eb0bc3c6315e86df0e5083bc9`
VirtualSize	`0xcee82`
VirtualAddress	`0xa8000`
SizeOfRawData	`0xcf000`
PointerToRawData	`0xa6c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.11788`

.data

MD5	`8475ed715a1b412df33e4658b319e2c6`
SHA1	`ae486257518135f8950c797f4108e7433c68a0a7`
SHA256	`f4b8bb6a71e9c1165e24d076d649034fb99179ced1a03358ee04db42cd1fa23a`
SHA3	`64721f8262067d571d7f01922f5b34bab0c90e17d175ec83aab5bd333d105884`
VirtualSize	`0x30f38`
VirtualAddress	`0x177000`
SizeOfRawData	`0x13600`
PointerToRawData	`0x175c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.15623`

/4

MD5	`22b64d2fda5f7ecbbdeaa349e1ceee01`
SHA1	`72c8604af6367d669f6eea1062dc0f551cc85517`
SHA256	`d7d432bd92e4f643749c1eab81bbf7ec6e3b76affcd489039385c75050ef346a`
SHA3	`7f3b8c26b8dcb0a8f677e385f7914766478778ce7ec4dc121158e6b2c36b3246`
VirtualSize	`0x112`
VirtualAddress	`0x1a8000`
SizeOfRawData	`0x200`
PointerToRawData	`0x189200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.75112`

/19

MD5	`d5c8db6832a7245698db412a03d229ce`
SHA1	`4e7f62f354287d30bc336e8e515f179ddccc5e1b`
SHA256	`75ad8307e524015c6a17b0e782edd4f2fcf2fcbb4ed8e64b57446818a529451a`
SHA3	`0c7d8ae54711fc5672804b84825897864c6ad4967b25bffbab4b449206b6abea`
VirtualSize	`0x15f3e`
VirtualAddress	`0x1a9000`
SizeOfRawData	`0x16000`
PointerToRawData	`0x189400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.99261`

/32

MD5	`702cfe42a4603d6173db1c6fa14fce2d`
SHA1	`951a3aa6ba012166da8fafcd9b2ae54be581dd0f`
SHA256	`7c2e08d9a60f9e4581de152c3ed073f69a9c88cc6554168cca9022e5818d9da3`
SHA3	`6c21d206c0bdd8ffc378126dfd275f0cb77d1a25c8b9fb2a06d49cc5ab70c7a5`
VirtualSize	`0x6d02`
VirtualAddress	`0x1bf000`
SizeOfRawData	`0x6e00`
PointerToRawData	`0x19f400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.91927`

/46

MD5	`349ff9562dad40cdcf9c0bc039202cd0`
SHA1	`92076aa712d757aaee3fb83e0140386e486bde3d`
SHA256	`e21b9b51ec37131822eb3db45723c50ed4d8f6ce686779a144c382a6db9dccfd`
SHA3	`9e6e099dfd43b0807306daee0f2759562e2f5f384e2d8d9beee8d150a8f0d986`
VirtualSize	`0x3066`
VirtualAddress	`0x1c6000`
SizeOfRawData	`0x3200`
PointerToRawData	`0x1a6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.88486`

/63

MD5	`203ea95450581e94b951585aa5e1feb9`
SHA1	`7d5bdea198d1f25bce4e6f654737a95354294989`
SHA256	`2b02610a73a646521b2249924abaa0f2ea7e5253ac30b8821d14836d890c91fa`
SHA3	`8919868d7ad01fb1da9f858fb7bce2556f55ae8ed03d5f8467afc447f0802618`
VirtualSize	`0x3347`
VirtualAddress	`0x1ca000`
SizeOfRawData	`0x3400`
PointerToRawData	`0x1a9400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.95348`

/80

MD5	`b695610b59faaff118f91fc317f4e65e`
SHA1	`6f4d208a90e255392c574ec0336b99e920d0f362`
SHA256	`233ae9f513e2418ad1e3a6fedf87626384729437a3501a83ccd8d11a2708eb08`
SHA3	`d286a8c03d951ad15f8f24a568274782f8434a89048151253ec5b4b51952349e`
VirtualSize	`0x22`
VirtualAddress	`0x1ce000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1ac800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.613839`

/99

MD5	`7dd15ceec3fce8d361bb4a676fcea15c`
SHA1	`4005b4fe7b87220e83f308d393799245c832ace2`
SHA256	`947eba69486f1e7749bf2982000f79cb9e656c48b54a5e386cf448299a672f97`
SHA3	`6382fcf0e68fd2555884ff4af7237e5def8fa6c6eef1c3f69112e82d8dd4f370`
VirtualSize	`0x2f011`
VirtualAddress	`0x1cf000`
SizeOfRawData	`0x2f200`
PointerToRawData	`0x1aca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.99524`

/112

MD5	`b4a51eba955774079a6c8e825e1d914d`
SHA1	`e5b472cf3a3426726dffa55323345dc3c48daa44`
SHA256	`934edc0b86de2b47b01314d3b8659c617497f2bbb67a87b5ce3640d4158a7810`
SHA3	`0954b23d286b714571004121e48d58f8e081014572242962ec92e9b02e1a354f`
VirtualSize	`0x14e5b`
VirtualAddress	`0x1ff000`
SizeOfRawData	`0x15000`
PointerToRawData	`0x1dbc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.98329`

/124

MD5	`cbb390fed3d095a48cba5db46225bd4c`
SHA1	`06d3d28cdb8781e248416c44377a2cd7630fa5f1`
SHA256	`307eaa0f41f4486d827a8339cd7b2f93ff82bee4ac92060a8e46ab8cee1e4ce6`
SHA3	`410cf937d65702422f678f5f0be64b2e94a1291391b2e4ff5d3bc702135c8544`
VirtualSize	`0x76c4`
VirtualAddress	`0x214000`
SizeOfRawData	`0x7800`
PointerToRawData	`0x1f0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.78528`

.idata

MD5	`198bf3e237b0de38c411fc07f3297d4b`
SHA1	`73ec889066521cf875c79860b697ae5bcc10f1f3`
SHA256	`d0d5059d0b3be27bc809587bb1abd2472c587fcc37abde28daf64b48546af6c6`
SHA3	`26270f3ec0b6688f963063b8efff988aa4ed46798fc541c54078b2f878a600dc`
VirtualSize	`0x416`
VirtualAddress	`0x21c000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1f8400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.29141`

.symtab

MD5	`3879b99e3fb5dbdaf7cc86c2d8f4b70a`
SHA1	`11ba0dd1cef504ce8baaf449546b1044523a16cf`
SHA256	`e9ae735e8bf5e5366ad70b8260506687924db647c923eb5be9860a411d86abc5`
SHA3	`9aca7eb90906967ed512bd46018d056c647e0fb10e0ca7ff2ad866159456ba20`
VirtualSize	`0x25b27`
VirtualAddress	`0x21d000`
SizeOfRawData	`0x25c00`
PointerToRawData	`0x1f8a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.2113`

Imports

winmm.dll	`timeEndPeriod` `timeBeginPeriod`
ws2_32.dll	`WSAGetOverlappedResult`
kernel32.dll	`WriteFile` `WriteConsoleW` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `SwitchToThread` `SetWaitableTimer` `SetUnhandledExceptionFilter` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `LoadLibraryA` `LoadLibraryW` `GetSystemInfo` `GetStdHandle` `GetQueuedCompletionStatus` `GetProcessAffinityMask` `GetProcAddress` `GetEnvironmentStringsW` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateThread` `CreateIoCompletionPort` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Tried to read outside the COFF string table to get the name of section /19!
[*] Warning: Tried to read outside the COFF string table to get the name of section /32!
[*] Warning: Tried to read outside the COFF string table to get the name of section /46!
[*] Warning: Tried to read outside the COFF string table to get the name of section /63!
[*] Warning: Tried to read outside the COFF string table to get the name of section /80!
[*] Warning: Tried to read outside the COFF string table to get the name of section /99!
[*] Warning: Tried to read outside the COFF string table to get the name of section /112!
[*] Warning: Tried to read outside the COFF string table to get the name of section /124!