Manalyze report for 15ed589908a80c2e8db14f6ad850e881

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Jun-14 11:43:03
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW`
Malicious	VirusTotal score: 54/70 (Scanned on 2025-02-03 19:18:15)	`ALYac: Gen:Variant.Fugrafa.284513` `APEX: Malicious` `AVG: Win32:BotX-gen [Trj]` `AhnLab-V3: Trojan/Win.BotX-gen.C5441530` `Alibaba: TrojanBanker:Win32/Generic.cd489692` `Antiy-AVL: Trojan[Banker]/Win32.Qbot` `Arcabit: Trojan.Fugrafa.D45761` `Avast: Win32:BotX-gen [Trj]` `Avira: TR/AD.KBot.cxhta` `BitDefender: Gen:Variant.Fugrafa.284513` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.172922642550e881` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: BackDoor.Qbot.792` `ESET-NOD32: a variant of Generik.GOVJGTE` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Fugrafa.284513 (B)` `F-Secure: Trojan.TR/AD.KBot.cxhta` `FireEye: Generic.mg.15ed589908a80c2e` `Fortinet: W32/PossibleThreat` `GData: Gen:Variant.Fugrafa.284513` `Google: Detected` `Ikarus: Trojan.SuspectCRC` `K7AntiVirus: Trojan ( 005a7c071 )` `K7GW: Trojan ( 005a7c071 )` `Kaspersky: HEUR:Trojan-Banker.Win32.Qbot.gen` `Kingsoft: Win32.Trojan-Banker.Qbot.gen` `Lionic: Trojan.Win32.Qbot.11!c` `MaxSecure: Trojan.Malware.74816637.susgen` `McAfee: GenericRXWD-JJ!15ED589908A8` `McAfeeD: Real Protect-LS!15ED589908A8` `MicroWorld-eScan: Gen:Variant.Fugrafa.284513` `Microsoft: Trojan:Win32/Cutwail!ic` `NANO-Antivirus: Trojan.Win32.Qbot.jwwilr` `Paloalto: generic.ml` `Panda: Trj/Chgt.AD` `Rising: Trojan.Kryptik@AI.89 (RDML:iKA+EG2OvKIVzgwgkoyx/g)` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.Generic.vm` `Sophos: Mal/Generic-S` `Symantec: Trojan Horse` `Tencent: Malware.Win32.Gencirc.13d3fba8` `Trapmine: malicious.moderate.ml.score` `VIPRE: Gen:Variant.Fugrafa.284513` `Varist: W32/ABTrojan.TKIZ-5549` `VirIT: Trojan.Win32.Genus.RGS` `Xcitium: Malware@#211noq8ifz5fb` `Yandex: Trojan.Agent!Ms08HwBEApc` `Zillya: Trojan.Qbot.Win32.15144` `alibabacloud: Trojan[stealer]:Win/Cutwail.Gen`

Hashes

MD5	`15ed589908a80c2e8db14f6ad850e881`
SHA1	`7861197b3a759f5354f209e934ed468e60df1940`
SHA256	`90ba164a4329285555718582428b2e225fadbf3cedcde35b61764a94a7660933`
SHA3	`abb4930f7e2e659e793f54eaef58dc3e8e9a93807f2241f362b63fb9d23064f4`
SSDeep	`24576:h2fJSwRBmRwKLt+ujYczdsXBOKrnkvrKmO8ZSFBg0HQ4I2YvhBr7KW:Ym9M2aXAe5gOQvF7KW`
Imports Hash	`c389d5e64bcd131854ca9a65d47d92eb`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2023-Jun-14 11:43:03
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x15800`
SizeOfInitializedData	`0x268e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000C7FC (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x17000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x283000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`033b98bba5c82d92682171691557c296`
SHA1	`2c7d8dd3678181cd6e61a13ad389ec6fc455e3fa`
SHA256	`76fd55e042704780072c9eefaeb0b01ff12d4f39840516743e6eb94325575b8d`
SHA3	`685fa9bf50cfeebc6613e3f4237524eaa2c17985c5e8ff250d04811e335f2a77`
VirtualSize	`0x156e0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x15800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.69755`

.rdata

MD5	`555197c21ee39277e933a0594279841b`
SHA1	`ef2230db018e324fde10429d2121fe761c10d703`
SHA256	`c23f6b888f9af6141db462a82509430431a8c8228d9f2e7e713f8d3390f3c422`
SHA3	`001d79bf82a31c940bd8385707b84e922355d7e82cc73f5ec957023792a4a592`
VirtualSize	`0xbff9c`
VirtualAddress	`0x17000`
SizeOfRawData	`0xc0000`
PointerToRawData	`0x15c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.09595`

.data

MD5	`efd69a01f626ab3ebe35beec2e102973`
SHA1	`5b40134398e00c1677d557be8e48da9ea9fcfdbb`
SHA256	`54c957df7d2a1fd9359a0bad823cfed1a51780688e1fcd83d9b48dd9aedbf599`
SHA3	`77469c1500de3119a541f08cd0e294ff37696097df57cb31abd329221733d0f5`
VirtualSize	`0x1a74c0`
VirtualAddress	`0xd7000`
SizeOfRawData	`0x1a6a00`
PointerToRawData	`0xd5c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.99242`

.gfids

MD5	`0d2d0c916dad1e34b620ae4cc716854a`
SHA1	`6d6f4080d19dd0bd74daadd1e0a85dde3a0a4e96`
SHA256	`a9643ebb51bdf11aa8b63856c515402577642aa1f9f40b7ce5942160dd6933b4`
SHA3	`798ee1a1334d46b04c5d7dc9aec9655b56f5d4b129f31633ab573e45f30f2983`
VirtualSize	`0xd0`
VirtualAddress	`0x27f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x27c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.7511`

.rsrc

MD5	`d261ddf51678f9b5b27865ee6f75732f`
SHA1	`958167dea55ad6eb5febeb9a086b43e571171d00`
SHA256	`eca4d10d2555dff54af800d4731f96a2374dbd3bfd0e52e707a0d5e095834082`
SHA3	`1a656346b72927c630b2538e440312cc2b4e6decba15bc766cbc2e1732ae10d0`
VirtualSize	`0x1e0`
VirtualAddress	`0x280000`
SizeOfRawData	`0x200`
PointerToRawData	`0x27c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7015`

.reloc

MD5	`5b11a7073db6958b846690809f22ef25`
SHA1	`51f1c787a4248c7ef06326be65e1e87d4c37ed1f`
SHA256	`76ec9e179fcc4204d7d0603501adcd9fa667009865f317b7d215ba8db1aa66f5`
SHA3	`46ec6176ee8716840e2d44fe65e740f5caf8fab52d31042a0f66cca6c4f5d430`
VirtualSize	`0x1380`
VirtualAddress	`0x281000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x27ca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.57687`

Imports

KERNEL32.dll	`EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSection` `CloseHandle` `GetLastError` `DeleteCriticalSection` `CreateThread` `GetCurrentThreadId` `GetCurrentProcessId` `CreateFileMappingA` `MapViewOfFile` `OpenFileMappingA` `UnmapViewOfFile` `ExitProcess` `VirtualAlloc` `CreateMutexA` `ReleaseMutex` `ExitThread` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `SetLastError` `HeapAlloc` `FreeLibrary` `GetModuleHandleW` `GetModuleHandleExW` `GetProcAddress` `HeapFree` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetSystemTimeAsFileTime` `LoadLibraryExW` `LCMapStringW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetProcessHeap` `GetStringTypeW` `MultiByteToWideChar` `WideCharToMultiByte` `HeapSize` `HeapReAlloc` `GetStartupInfoW` `QueryPerformanceCounter` `InitializeSListHead` `RtlUnwind` `EncodePointer` `RaiseException` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `FindClose` `FindFirstFileExW` `FindNextFileW` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetStdHandle` `GetFileType` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `SetFilePointerEx` `WriteConsoleW` `DecodePointer` `CreateFileW`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Jun-14 11:43:03
Version	`0.0`
SizeofData	`1404`
AddressOfRawData	`0xd5e98`
PointerToRawData	`0xd4a98`

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x67d7f8`
SEHandlerTable	`0`
SEHandlerCount	`0`

RICH Header

XOR Key	`0xee2ae326`
Unmarked objects	`0`
Unmarked objects (#2)	`2`
ASM objects (24237)	`18`
C++ objects (24237)	`34`
C objects (24237)	`17`
241 (40116)	`9`
243 (40116)	`121`
242 (40116)	`26`
Imports (65501)	`3`
Total imports	`93`
C++ objects (24245)	`2`
Resource objects (24245)	`1`
Linker (24245)	`1`

15ed589908a80c2e8db14f6ad850e881

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors