Manalyze report for 12c13fbc1cb91f08144e44c5ed0f350c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Nov-17 13:11:22
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for VirtualBox presence: VBoxGuest VBoxMouse VBoxSF VBoxTray` `Looks for Qemu presence: QemU qemu`
Suspicious	The PE is possibly packed.	`Unusual section name found: .gxfg` `Unusual section name found: .retplne`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Code injection capabilities (process hollowing): ResumeThread SetThreadContext WriteProcessMemory` `Possibly launches other programs: CreateProcessW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualAllocEx VirtualProtect` `Manipulates other processes: ReadProcessMemory WriteProcessMemory`
Malicious	VirusTotal score: 57/71 (Scanned on 2024-11-26 09:58:18)	`ALYac: Gen:Variant.Lazy.624192` `AVG: Win64:InjectorX-gen [Trj]` `AhnLab-V3: Trojan/Win.Generic.R682813` `Alibaba: TrojanPSW:Win64/Stealer.8b064c9e` `Antiy-AVL: Trojan[PSW]/Win64.Stealer` `Arcabit: Trojan.Lazy.D98640` `Avast: Win64:InjectorX-gen [Trj]` `Avira: TR/Injector.iqzmw` `BitDefender: Gen:Variant.Lazy.624192` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojanpws.Win64` `CTX: exe.trojan.stealer` `ClamAV: Win.Keylogger.Lazy-10037596-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.PWS.Stealer.41151` `ESET-NOD32: a variant of Win64/Injector.KQ` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Lazy.624192 (B)` `F-Secure: Trojan.TR/Injector.iqzmw` `FireEye: Gen:Variant.Lazy.624192` `Fortinet: PossibleThreat.MU` `GData: Gen:Variant.Lazy.624192` `Google: Detected` `Gridinsoft: Trojan.Win64.Downloader.sa` `Ikarus: Trojan.Win64.Injector` `K7AntiVirus: Trojan ( 0059c3fb1 )` `K7GW: Trojan ( 0059c3fb1 )` `Kaspersky: Trojan-PSW.Win64.Stealer.akhr` `Kingsoft: Win64.Trojan-PSW.Stealer.gen` `Lionic: Trojan.Win32.Stealer.12!c` `Malwarebytes: Malware.AI.4215980365` `MaxSecure: Trojan.Malware.303022029.susgen` `McAfee: Artemis!12C13FBC1CB9` `McAfeeD: Real Protect-LS!12C13FBC1CB9` `MicroWorld-eScan: Gen:Variant.Lazy.624192` `Microsoft: Trojan:Win64/Lazy.POAH!MTB` `Paloalto: generic.ml` `Panda: Trj/GdSda.A` `Rising: Stealer.Agent!8.C2 (TFE:5:zXZO7cImnKJ)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Injector.rh` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Malware.Win32.Gencirc.10c06ea7` `Trapmine: malicious.high.ml.score` `TrendMicro: TrojanSpy.Win64.MEDUZASTEALER.YXEKRZ` `TrendMicro-HouseCall: TrojanSpy.Win64.MEDUZASTEALER.YXEKRZ` `VIPRE: Gen:Variant.Lazy.624192` `Varist: W64/Stealer.FM` `ViRobot: Trojan.Win.Z.Lazy.4270080.J` `Webroot: W32.Trojan.Gen` `alibabacloud: Trojan[stealer]:Win/Stealer.acev` `huorong: Trojan/W64.Agent.dq`

Hashes

MD5	`12c13fbc1cb91f08144e44c5ed0f350c`
SHA1	`accc1f7ea8be71ff2b5126d9c68d8b36a1be9afb`
SHA256	`ea802b3b7bb8e2c558e14d6a946231dfa0f22e746e622296ce60babd10511f9f`
SHA3	`a800d70ee7b5db6efb22aa69c8542c398fbf2122e8a9fb0a3183e241054c4b6d`
SSDeep	`49152:/xGK0l3e3uHuDgMhX32D/jzt2yd6CWw2Krd+S5rVWgpTZ:/xGK09yuFZ`
Imports Hash	`78c9da53bf2d072d61b49d02beb24690`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`11`
TimeDateStamp	2024-Nov-17 13:11:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x79600`
SizeOfInitializedData	`0x398c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000050200 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x41c000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`186e011cfbf8022fa84d5f0ef4ee3df7`
SHA1	`ff43dd55e8c8e83a6ec41a73fa69d65efdb6893d`
SHA256	`f792f186ac4c95f63ac26617b9fd6963dab70c0e79d3c1bb1abe1b3894a7658d`
SHA3	`b4e3f1926fb2cd362d78e0def30db1678cc55c536981cc40f01f0333993c2306`
VirtualSize	`0x79546`
VirtualAddress	`0x1000`
SizeOfRawData	`0x79600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.44057`

.rdata

MD5	`9a390bac843832f42e81eb9808f59f23`
SHA1	`1d05645bfe9f0898a8edf7be3b1022cd6d1f9a8e`
SHA256	`7662b5f265be3f20944dbca8b0b9abd178fce6f1618fdc23c1ddb39f5d70e2a8`
SHA3	`16d562c5c6c8d3cc505c3a4a6e846258e77296846c5a921b3a0f90d89d9d5ecf`
VirtualSize	`0x38bf44`
VirtualAddress	`0x7b000`
SizeOfRawData	`0x38c000`
PointerToRawData	`0x79a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.95871`

.data

MD5	`7568d2f08f4ac81dae4d5e33ab60923a`
SHA1	`b080f82ccc23b49772085a78bcb22591fe404d7a`
SHA256	`03924c4d9b458515dc9815011f2a467dd82eed2f68f598dcb963ff38936ada8e`
SHA3	`b448c4741a38df99173ec26e39c7cd101907f50897bf1b5acbcaab8631e578d5`
VirtualSize	`0x36f8`
VirtualAddress	`0x407000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x405a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.5531`

.pdata

MD5	`4edc9593f97b9b4e42d309e7db70aca7`
SHA1	`dfce2462083e4241dad420c8529d8bfdeb66d201`
SHA256	`d4b09df9f7b18a060173f5fde8aa6b66d0a36e5dff95c4055cbd543481b8110a`
SHA3	`ea56b2089c820201038b00522282683552bdbf8512eb40e27a7dd97a6ef2ae9a`
VirtualSize	`0x65e8`
VirtualAddress	`0x40b000`
SizeOfRawData	`0x6600`
PointerToRawData	`0x407600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.76413`

.00cfg

MD5	`c8b156cca6c1f20e90ecbf8f3612fd39`
SHA1	`3302f922f3f17e2035c61c4824d431cc738a4737`
SHA256	`b40e3f916668db384930ca78b737ad35528fc8822872992c845fa075d72c29ed`
SHA3	`be0650a950feef13cce43fed79fe9afbc69fcd980d91d3001afe89db95ef85b8`
VirtualSize	`0x38`
VirtualAddress	`0x412000`
SizeOfRawData	`0x200`
PointerToRawData	`0x40dc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.471671`

.gxfg

MD5	`a3fb3e1da377202334d413fbe0e439a4`
SHA1	`2ac695d38b0aa5d9e183ad8f3316d928d0b6ec12`
SHA256	`8f96016124ca070c1b4628052c5d5e857f8886ffa0b06fa5f7f64b0de91a787b`
SHA3	`e98329027d46a0e93811f588d006c1412063132e7636ef5165e811769284da2e`
VirtualSize	`0x2200`
VirtualAddress	`0x413000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x40de00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.23069`

.retplne

MD5	`8c950f651287cbc1296bcb4e8cd7e990`
SHA1	`018fcd27ff9f8487c792aecf902a516f00c03d18`
SHA256	`15163cfff9feb802c2e7699f17e01245e54304d28a1650c79f9237de661774e0`
SHA3	`5b66ec3ad2d5f760e44bb32dd7acc837d5364d21154bccafc1c375d2993cd545`
VirtualSize	`0x8c`
VirtualAddress	`0x416000`
SizeOfRawData	`0x200`
PointerToRawData	`0x410000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`(EMPTY)`
Entropy	`1.05058`

.tls

MD5	`1f354d76203061bfdd5a53dae48d5435`
SHA1	`aa0d33a0c854e073439067876e932688b65cb6a9`
SHA256	`4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a`
SHA3	`991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b`
VirtualSize	`0x9`
VirtualAddress	`0x417000`
SizeOfRawData	`0x200`
PointerToRawData	`0x410200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

_RDATA

MD5	`b9c7c28bbb6fccd97a8b522b747b58b7`
SHA1	`e2d6a2eeb76de07d264e2e8f37b3aac465b97529`
SHA256	`101ec4ba042fbbeb5c410b11db117343afe2a1be48a7285c5947f9adcebf125a`
SHA3	`2ef4e3275231dafdc23bd0a3c02b74134ef811875462db6097cfca28c3f4b2bf`
VirtualSize	`0x1f4`
VirtualAddress	`0x418000`
SizeOfRawData	`0x200`
PointerToRawData	`0x410400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.2389`

.rsrc

MD5	`d38b4cd68eb239a7aa6a06b6f8091e1d`
SHA1	`54ce2fb9ad69398929cd85bb783a6731d6a02f99`
SHA256	`68f7268a5dbb216ccbb54765d34623875520a73a5aece76b880948415de65dfc`
SHA3	`98f3827cde827f820e35b6fe6d78db1602cb65d7673932d2c397cd7b46e2b2f6`
VirtualSize	`0x1a8`
VirtualAddress	`0x419000`
SizeOfRawData	`0x200`
PointerToRawData	`0x410600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.17966`

.reloc

MD5	`13f065f7aeef4dbbab821942b99113ab`
SHA1	`f011a60ba07340548b248d4c88edccf96a8771d2`
SHA256	`8e5200413d207d909130fe2af4e73611ef834882f616f73fd62824e647f325df`
SHA3	`5880303909f061640f080425747eec57a270cb692e09fa47d320a33b56757d44`
VirtualSize	`0x1e18`
VirtualAddress	`0x41a000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x410800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.37538`

Imports

USER32.dll	`GetRawInputDeviceInfoW` `GetRawInputDeviceList`
KERNEL32.dll	`AcquireSRWLockExclusive` `AreFileApisANSI` `CloseHandle` `CreateFileMappingW` `CreateFileW` `CreateProcessW` `DecodePointer` `DeleteCriticalSection` `EncodePointer` `EnterCriticalSection` `EnumSystemLocalesW` `ExitProcess` `FindClose` `FindFirstFileExW` `FindFirstFileW` `FindNextFileW` `FlsAlloc` `FlsFree` `FlsGetValue` `FlsSetValue` `FlushFileBuffers` `FormatMessageA` `FreeEnvironmentStringsW` `FreeLibrary` `GetACP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetConsoleMode` `GetConsoleOutputCP` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetEnvironmentStringsW` `GetExitCodeProcess` `GetFileAttributesExW` `GetFileInformationByHandleEx` `GetFileSizeEx` `GetFileType` `GetLastError` `GetLocaleInfoEx` `GetLocaleInfoW` `GetModuleFileNameW` `GetModuleHandleExW` `GetModuleHandleW` `GetOEMCP` `GetProcAddress` `GetProcessHeap` `GetStartupInfoW` `GetStdHandle` `GetStringTypeW` `GetSystemInfo` `GetSystemTimeAsFileTime` `GetThreadContext` `GetUserDefaultLCID` `GlobalAlloc` `GlobalFree` `HeapAlloc` `HeapFree` `HeapReAlloc` `HeapSize` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `InitializeCriticalSectionEx` `InitializeSListHead` `IsDebuggerPresent` `IsProcessorFeaturePresent` `IsValidCodePage` `IsValidLocale` `K32EnumDeviceDrivers` `K32GetDeviceDriverBaseNameW` `LCMapStringEx` `LCMapStringW` `LeaveCriticalSection` `LoadLibraryA` `LoadLibraryExW` `LocalFree` `MapViewOfFile` `MultiByteToWideChar` `QueryPerformanceCounter` `RaiseException` `ReadConsoleW` `ReadFile` `ReadProcessMemory` `ReleaseSRWLockExclusive` `ResumeThread` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlPcToFileHeader` `RtlUnwind` `RtlUnwindEx` `RtlVirtualUnwind` `SetFilePointerEx` `SetLastError` `SetStdHandle` `SetThreadContext` `SetUnhandledExceptionFilter` `TerminateProcess` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `TryAcquireSRWLockExclusive` `UnhandledExceptionFilter` `UnmapViewOfFile` `VirtualAlloc` `VirtualAllocEx` `VirtualFree` `VirtualProtect` `VirtualQuery` `VirtualQueryEx` `WaitForSingleObject` `WideCharToMultiByte` `WriteConsoleW` `WriteFile` `WriteProcessMemory`
MPR.dll	`WNetCloseEnum` `WNetEnumResourceA` `WNetOpenEnumA`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x143`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.71208`
MD5	`9ce8c70178061cc4cf4a6bb1e291df93`
SHA1	`dc9804dd3aa348fb0c05f53c53c698518af514a0`
SHA256	`6f88bc7cb02ccb2dbc26b5f4ce53e355b331e31bb920b2ba8cbbcd1b5d4cd5a0`
SHA3	`9492809889cb617928395fd8b46fc6dd11eeb9b1101175bd478b7c4ca5bc10e1`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140417000`
EndAddressOfRawData	`0x140417008`
AddressOfIndex	`0x140409258`
AddressOfCallbacks	`0x1403fbd98`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140407040`

RICH Header

12c13fbc1cb91f08144e44c5ed0f350c

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.00cfg

.gxfg

.retplne

.tls

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors