Manalyze report for 18ae396b910b42c020d9718fc2fb89a0

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Jan-16 09:46:26
Detected languages	English - United States Russian - Russia
TLS Callbacks	2 callback(s) detected.
ProductName	Gepard Shield
ProductVersion	`3.0`
LegalCopyright	Functor © 2025
OriginalFilename	gepard.dll

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe` `Contains domain names: http://msdl.microsoft.com http://msdl.microsoft.com/download/symbols microsoft.com msdl.microsoft.com www.lua.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	This PE is packed with VMProtect	`Unusual section name found: .adata` `Unusual section name found: .vmp0` `Unusual section name found: .vmp1` `Unusual section name found: .vmp2`
Suspicious	The PE contains functions most legitimate programs don't use.	`Possibly launches other programs: ShellExecuteA` `Leverages the raw socket API to access the Internet: gethostbyname` `Interacts with services: ControlService`
Info	The PE is digitally signed.	`Signer: Nikulina Anastasiya Vladimirovna` `Issuer: Sectigo RSA Code Signing CA`
Malicious	VirusTotal score: 3/72 (Scanned on 2025-01-24 14:12:38)	`Bkav: W32.AIDetectMalware` `Trapmine: malicious.moderate.ml.score` `VBA32: Malware-Cryptor.Inject.gen`

Hashes

MD5	`18ae396b910b42c020d9718fc2fb89a0`
SHA1	`0254400575c9d50d5240880942c161fc42361d94`
SHA256	`b1d95dd5706cf2c7446b8fcd1d5fd07466cc6464a648007742f75614aec00777`
SHA3	`77de8968d8b5de8bf92782ae566d7d29e9d224df5775a5947e1f5e5a95399788`
SSDeep	`393216:5rz/ISF4rlvec7YSU3xEuNRpB2CPXPlq6+rcx03Ama:d/nUt7YS4EuPZPXPlq7cAAma`
Imports Hash	`942c157fa01a7fdc97f91b705fe1177c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`10`
TimeDateStamp	2021-Jan-16 09:46:26
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0xbce00`
SizeOfInitializedData	`0x66200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00DD4BB6 (Section: .vmp2)`
BaseOfCode	`0x1000`
BaseOfData	`0xbf000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x12ad000`
SizeOfHeaders	`0x400`
Checksum	`0x12abc16`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ef5a5007c6c18116935980047f2b5a95`
SHA1	`f058fbd47d19542ff839e60762c72767e2b0c83f`
SHA256	`2fee778e611d5307b480b95a6180d92d798f9356f01741f8a1decd97816b47fd`
SHA3	`7cf9ae4d80233bc45ba49587d3763d5df14d4d258ec7df548e74c1f7cb1e72b2`
VirtualSize	`0xba2bc`
VirtualAddress	`0x1000`
SizeOfRawData	`0xba400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.07526`

.adata

MD5	`5ba46d8a14b20297abbf56dfd456bb92`
SHA1	`e04690f162b4c036b81802333e30294df947a353`
SHA256	`41f5749cf7b39987d80d2f830ea548909e9f1d94c47ff1ac1fddd5577e7de77c`
SHA3	`537d24ef6a45e7c2b94d6da8b81d5a2373b556b62c36c570831962484fcc04b0`
VirtualSize	`0x29b0`
VirtualAddress	`0xbc000`
SizeOfRawData	`0x2a00`
PointerToRawData	`0xba800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.68261`

.rdata

MD5	`8f6f4a63de41da41a2633425d718cb54`
SHA1	`a482170baca3195394672b7f1b78037cc89b8d16`
SHA256	`4a8eb95e0816359b4e9a58fb0cf39878a4a70989753952d5fc5e0f90d133b41b`
SHA3	`a9b9fe0d8321a3a71681ff132b02121d45c9851019517830e8198746bc6f18e4`
VirtualSize	`0x24a40`
VirtualAddress	`0xbf000`
SizeOfRawData	`0x24c00`
PointerToRawData	`0xbd200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.3004`

.data

MD5	`d34ebac9becfd67cc84d5eb2351cf49c`
SHA1	`18130c546a24c371e5e7e5804a4af6652cc270aa`
SHA256	`05f288d1997f662c0f188c8e9a7a201fd2739a6bf07326fd549e5034b2d3a3c5`
SHA3	`9eaf9c885f6e8b6455e833ca0f4c3530d95844550429a8c2458006a6abd7cc48`
VirtualSize	`0x84c4`
VirtualAddress	`0xe4000`
SizeOfRawData	`0x4200`
PointerToRawData	`0xe1e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.96636`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x2`
VirtualAddress	`0xed000`
SizeOfRawData	`0x200`
PointerToRawData	`0xe6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.vmp0

MD5	`e95c138ebfb2bafacd4f34c87663ab07`
SHA1	`9b5623b8ae8c6a1679b101af1ad4db4149d451bd`
SHA256	`2c2d94758f9732e7a46b950558375fae4c920a0be6964673cc4bfa00375f4f9e`
SHA3	`7ad1e8932403c0b8ff0f15cbdf44a00d18ff55fa6dca1658d213a43562f6850b`
VirtualSize	`0xc26b7e`
VirtualAddress	`0xee000`
SizeOfRawData	`0xc26c00`
PointerToRawData	`0xe6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.8644`

.vmp1

MD5	`4518e17044c887ed19c943e1f4b14694`
SHA1	`e1b0ffe0989902a110f6f8d037b01370a4df7593`
SHA256	`65aaf1cb51fd15142650f9c4f8bda0c2542f86ef819de9aefe892997c7e8741a`
SHA3	`47e0a73c3d217900e75f3d52b5f567add6961bf1e2725d06c2e0ea7c072d8970`
VirtualSize	`0xb4`
VirtualAddress	`0xd15000`
SizeOfRawData	`0x200`
PointerToRawData	`0xd0ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.11274`

.vmp2

MD5	`c079542cb80a1f08a1532708ef96dcd1`
SHA1	`bb3692a91dba31df859d82fff99d14c6923db864`
SHA256	`ad95c9f19827866ab15561eb0bf9289f9a5ef4edf45e12f9a1735d409794a12e`
SHA3	`d7082009628b61e3eed1a80051d3c690b41ea697f9ca839fb5e47d8a1e5fded6`
VirtualSize	`0x559830`
VirtualAddress	`0xd16000`
SizeOfRawData	`0x559a00`
PointerToRawData	`0xd0d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.55245`

.rsrc

MD5	`2f0f087992c9aa95551d62d18c421ead`
SHA1	`23b7b0d5c5f040f5814c3eeb690a8d6d1d7ba5cb`
SHA256	`694b9531f20a71e3cccec22e9bad3b59d2e97121ecc206c3460811df9aaeef23`
SHA3	`5452a9a5a6aeb09f81e754fb868692bd383497eea60474a2827dad0ece4659e7`
VirtualSize	`0x30326`
VirtualAddress	`0x1270000`
SizeOfRawData	`0x30400`
PointerToRawData	`0x1266a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.38027`

.reloc

MD5	`7610b20ff1e259e683af3ffc30d22261`
SHA1	`1490e89142a90ea8bfde96678f41949d8f706c61`
SHA256	`fe9ecc08ef982f5f68e535bf546f6ee43c8a64a7b0c5a8daf7210880664bab6a`
SHA3	`76c763f810084393826ffefe7ca75e6f081df9b4a26ca8a24ff0fa8ec9bd1f23`
VirtualSize	`0xb510`
VirtualAddress	`0x12a1000`
SizeOfRawData	`0xb600`
PointerToRawData	`0x1296e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.22703`

Imports

KERNEL32.dll	`GetVersion` `GetVersionExA`
USER32.dll	`SendMessageA`
GDI32.dll	`SelectObject`
ADVAPI32.dll	`ControlService`
SHELL32.dll	`ShellExecuteA`
ole32.dll	`CoInitializeEx`
OLEAUT32.dll	`SysAllocString`
COMCTL32.dll	`#17`
WS2_32.dll	`gethostbyname`
WTSAPI32.dll	`WTSEnumerateProcessesA`
WINMM.dll	`timeGetTime`
dbghelp.dll	`SymFunctionTableAccess64`
SHLWAPI.dll	`PathFindFileNameA`
PSAPI.DLL	`GetProcessImageFileNameA`
IPHLPAPI.DLL	`GetExtendedTcpTable`
WININET.dll	`HttpOpenRequestA`
ntdll.dll	`NtSetInformationThread`
FLTLIB.DLL	`FilterFindNext`
VERSION.dll	`GetFileVersionInfoA`

Delayed Imports

get_gepard_version

Ordinal	`1`
Address	`0x5efe0`

101

Type	`SPLASH_IMAGE`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x1ba24`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.96185`
Detected Filetype	PNG graphic file
MD5	`11ba3236523080b581f778b6fcf63435`
SHA1	`402bec32cb21442328b7fb221bdf580487162bb4`
SHA256	`b37163eb4d75a198667a01ded8ff8d751d1302d87d4c412f396c6ae7e354c5dc`
SHA3	`5894f8e1ccbf95adf14825658b9c98535de6a83ebe922109bee85cd7a78c3413`

102

Type	`RT_BITMAP`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x3d18`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.842325`
MD5	`d0e6e9766e64b0749b63064ab54b036a`
SHA1	`d6e66aa77b34c7cda7bc881ea6c6e751303d9f61`
SHA256	`6264026adc105a439efe1c8e2a123b0e99f2243f61d39ccbeec2f16c46ae1e80`
SHA3	`5c804ae1b7a47a201233553cf25209d5becae563f986a66f7ec99f8a96755f29`
Preview

101 (#2)

Type	`RT_RCDATA`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x1138`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.45027`
MD5	`0cadd16f3f683347b83940c1af849f85`
SHA1	`c8b640c493282722078c7be31f82fa3e7d975fe5`
SHA256	`14368b549fc8fb77830984937614aa08f63bee968d7801abab5fae88f8ffec55`
SHA3	`c4b9f7b0fcb1a57d54cade927b1ed67a918a19cc28233b7d9f0dbc74d5932bdc`

105

Type	`RT_RCDATA`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0xf5cc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.33079`
MD5	`78626ec743e35d9d91624b0bcf901e59`
SHA1	`17326365a16c99218b30798823dc396a2b17aca8`
SHA256	`11b113d56554bb208c06c297fd3bd7510468d38c8c01572b8b1a2408afb900a1`
SHA3	`f7d5e47981207d166eee1b9081a3ed48fb11d55f9352a905ea5e31f9c8dc6de4`

1

Type	`RT_VERSION`
Language	Russian - Russia
Codepage	Latin 1 / Western European
Size	`0x1c8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.33377`
MD5	`a77222f5099f3cbe2f3b8bf044877947`
SHA1	`26a838e50361490bd8480626264f45ee2729ee5e`
SHA256	`720bd113a51070a2352ad1ff749f2ee3f02dc84df1078454ed2ec8c62e294e14`
SHA3	`bd0e961c64f45027ff3486d9a740925289d89a4f9ce6bc55ce80a60a487f96fe`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	25.1.16.91
ProductVersion	3.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
ProductName	Gepard Shield
ProductVersion (#2)	3.0
LegalCopyright	Functor © 2025
OriginalFilename	gepard.dll

Resource LangID	Russian - Russia

TLS Callbacks

StartAddressOfRawData	`0x100ed000`
EndAddressOfRawData	`0x100ed001`
AddressOfIndex	`0x100e9118`
AddressOfCallbacks	`0x10ebc0b8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x10FAE0FB` `0x100AE230`

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x100e46d8`
SEHandlerTable	`0x1126f2d0`
SEHandlerCount	`341`

RICH Header

18ae396b910b42c020d9718fc2fb89a0

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.adata

.rdata

.data

.tls

.vmp0

.vmp1

.vmp2

.rsrc

.reloc

Imports

Delayed Imports

get_gepard_version

101

102

101 (#2)

105

1

2

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors