Manalyze report for 1d63b195bd38cad51d7eea718c9d228d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Jul-30 08:52:21

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryW GetProcAddress` `Can create temporary files: GetTempPathW CreateFileW`
Malicious	VirusTotal score: 31/72 (Scanned on 2025-01-21 08:36:57)	`APEX: Malicious` `Antiy-AVL: Trojan/Win32.SchoolGirl` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.17374152299d228d` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_70% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `FireEye: Generic.mg.1d63b195bd38cad5` `Fortinet: W64/CoinMiner.526230!tr` `GData: Win64.Trojan.Agent.N91JD2` `Google: Detected` `Gridinsoft: Trojan.Win64.Agent.bot!s1` `Ikarus: Trojan.Win64.Agent` `K7AntiVirus: Riskware ( 00584baa1 )` `K7GW: Riskware ( 00584baa1 )` `Lionic: Trojan.Win32.Gen.tqzj` `Malwarebytes: Generic.Malware.AI.DDS` `McAfee: Artemis!1D63B195BD38` `McAfeeD: ti!DAF4D71696A7` `Microsoft: Program:Win32/Wacapew.C!ml` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.RealProtect.dm` `VBA32: TrojanPSW.Win64.Banker` `Varist: W64/Bulz.BB.gen!Eldorado` `VirIT: Trojan.Win32.Banker1.BMNA` `Zillya: Trojan.Generic.Win32.838255` `tehtris: Generic.Malware`

Hashes

MD5	`1d63b195bd38cad51d7eea718c9d228d`
SHA1	`76f94f8f4d8926dd02ba9314fba7cad27a58571a`
SHA256	`daf4d71696a7378aa22877c6b2fccf900fe57a26a528c08bf4c7e4ef2bd634ad`
SHA3	`b41eae090a5749ce04eb3f5776dfda9e5d5f7033da60e06ff8560fd95dbed188`
SSDeep	`6144:nt5hBPi0BW69hd1MMdxPe9N9uA069TBNy+:ntzww69Tzy+`
Imports Hash	`7182b1ea6f92adbf459a2c65d8d4dd9e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2019-Jul-30 08:52:21
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x16200`
SizeOfInitializedData	`0x22a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000001000 (Section: .code)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x3e000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.code

MD5	`bf90681e6a2fc3ae2cafaa536804f308`
SHA1	`a64a539ccb5ac41a8f594b60f7f567944b712182`
SHA256	`132b3650e49de953081b6eaa8b89005d1b958b818fb4e58c524ded1c074c9fd0`
SHA3	`c46f3c39cd402fb274b170b23313415e01241ad8b5af4faead450cc0bbf0136a`
VirtualSize	`0x5a99`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.47081`

.text

MD5	`8a1a401c4bd106ea802d83f827d2ddd2`
SHA1	`ba522367b155c12f0cfa2c2bdaf8457fa64f0b96`
SHA256	`900a0bbdf1e3b6b7fd61e7f84ab9db4406cd1d06ef9e5ad3e73acb6de65f002f`
SHA3	`12719bcb5fd52d0d8ddc8800fac2a8360fcb8e238624c348c145b384fd68c317`
VirtualSize	`0x105b5`
VirtualAddress	`0x7000`
SizeOfRawData	`0x10600`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.35986`

.rdata

MD5	`546e073a6443174d5e09f21ab6d487ce`
SHA1	`c271a82ffeaf7c9a6e210fb0d003ddaaebad2801`
SHA256	`9cd909a01b354415b1574a76b3dd4bc0dfee6651a287a5206f6e10b62d8ce439`
SHA3	`fe17b37b529a3e52d747ac8d924466745cd7cdb10288b6417bfeba8bfe27be8d`
VirtualSize	`0x4b3d`
VirtualAddress	`0x18000`
SizeOfRawData	`0x4c00`
PointerToRawData	`0x16600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.66669`

.pdata

MD5	`e81bd35fde0f70c926459e823327da76`
SHA1	`6700166d9cffb7f1003ba9a8c06d2e7fff8724eb`
SHA256	`0302dab6e83134468a53ac9b21d51375b8d004da94bca07d698e8280464580ee`
SHA3	`7d3989266acbed4713a2ee66ae389d8c37e56db79d68d3c8bf446664de5b06eb`
VirtualSize	`0x10d4`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1b200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.88103`

.data

MD5	`a29007f45e523f5556bffe364e7920f9`
SHA1	`bb2b2760276688b252ab25f1b6fa7aa38ec7d9ad`
SHA256	`bcfa1fd0dc45d90bc9d580005dfeb4d6039c4297ae0f0dadc04a9b690e9cfea8`
SHA3	`9cc9e1c3ea5c5186d7c6bcdcabe88c292ae39cdc635c1e0bcfd6517d61258e0e`
VirtualSize	`0x2318`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x1c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.29901`

.rsrc

MD5	`38c7e944d8364ef02a8207e64270c303`
SHA1	`bed2b6e867bc0029fd0ede012271a3dfa3de407d`
SHA256	`9b6e546cfe5c2b7bc77ecfd0c9d8c201e7b76d7f9c57af7a7806c3af8643aae5`
SHA3	`bbf7139d6d49696ecfcd87b24be084c99ee7475911f0b485b88316acd7ad1406`
VirtualSize	`0x1b5cc`
VirtualAddress	`0x22000`
SizeOfRawData	`0x1b600`
PointerToRawData	`0x1da00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.27511`

Imports

msvcrt.dll	`memset` `wcsncmp` `memmove` `wcsncpy` `wcsstr` `_wcsnicmp` `_wcsdup` `free` `_wcsicmp` `wcslen` `wcscpy` `wcscmp` `memcpy` `tolower` `wcscat` `malloc`
KERNEL32.dll	`GetModuleHandleW` `HeapCreate` `GetStdHandle` `HeapDestroy` `ExitProcess` `WriteFile` `GetTempFileNameW` `LoadLibraryExW` `EnumResourceTypesW` `FreeLibrary` `RemoveDirectoryW` `GetExitCodeProcess` `EnumResourceNamesW` `GetCommandLineW` `LoadResource` `SizeofResource` `FreeResource` `FindResourceW` `GetShortPathNameW` `GetSystemDirectoryW` `EnterCriticalSection` `CloseHandle` `LeaveCriticalSection` `InitializeCriticalSection` `WaitForSingleObject` `TerminateThread` `CreateThread` `Sleep` `WideCharToMultiByte` `HeapAlloc` `HeapFree` `LoadLibraryW` `GetProcAddress` `GetCurrentProcessId` `GetCurrentThreadId` `GetModuleFileNameW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `GetCurrentProcess` `TerminateProcess` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `RemoveVectoredExceptionHandler` `AddVectoredExceptionHandler` `HeapSize` `MultiByteToWideChar` `CreateDirectoryW` `SetFileAttributesW` `GetTempPathW` `DeleteFileW` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `CreateFileW` `SetFilePointer` `TlsFree` `TlsGetValue` `TlsSetValue` `TlsAlloc` `HeapReAlloc` `DeleteCriticalSection` `GetLastError` `SetLastError` `UnregisterWait` `GetCurrentThread` `DuplicateHandle` `RegisterWaitForSingleObject`
SHELL32.DLL	`ShellExecuteExW` `SHGetFolderLocation` `SHGetPathFromIDListW`
WINMM.DLL	`timeBeginPeriod`
OLE32.DLL	`CoInitialize` `CoTaskMemFree`
SHLWAPI.DLL	`PathAddBackslashW` `PathRenameExtensionW` `PathQuoteSpacesW` `PathRemoveArgsW` `PathRemoveBackslashW`
USER32.DLL	`CharUpperW` `CharLowerW` `MessageBoxW` `DefWindowProcW` `GetWindowLongPtrW` `GetWindowTextLengthW` `GetWindowTextW` `EnableWindow` `DestroyWindow` `UnregisterClassW` `LoadIconW` `LoadCursorW` `RegisterClassExW` `IsWindowEnabled` `GetSystemMetrics` `CreateWindowExW` `SetWindowLongPtrW` `SendMessageW` `SetFocus` `CreateAcceleratorTableW` `SetForegroundWindow` `BringWindowToTop` `GetMessageW` `TranslateAcceleratorW` `TranslateMessage` `DispatchMessageW` `DestroyAcceleratorTable` `PostMessageW` `GetForegroundWindow` `GetWindowThreadProcessId` `IsWindowVisible` `EnumWindows` `SetWindowPos`
GDI32.DLL	`GetStockObject`
COMCTL32.DLL	`InitCommonControlsEx`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2a18`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.94348`
Detected Filetype	PNG graphic file
MD5	`affb57a80fd0dc22897dc96e24edcedd`
SHA1	`6e68ed8a1b67c9bbac609b73a69f5459f866745e`
SHA256	`37a7ccc88659e456b4e1873844ccb6e98d1f1629c83838ebe90b59e05f9819d4`
SHA3	`169d4cba64f01f2f0778953e0fdaa726f512c52181f0b16af6e74d255902b210`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.2916`
MD5	`c14835e925962bc1d27de806d19ca6b3`
SHA1	`a7238f9933e5876c47d577229fd66edc610cdff0`
SHA256	`c046aa013f5015189a1db2d2d473f798d982da192ca4f7e13a5d0c786f9eaa6a`
SHA3	`cc097bddf9401d349b2bea328a548e28da54d1e05320de3af274c86cc700025e`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.65088`
MD5	`7b9698440bb7471dd372386c8e5647f9`
SHA1	`5e6c1dd536ae6528cc14196c4dea05557667eef5`
SHA256	`40e8e9c86b3060d9f470e9f9627489994859a83c2f77205ee486a4f46cb0f42f`
SHA3	`6b7f893726af8d1a5cd61ce2f63d258e3b46ab9e33000b3fb2a8708792374b59`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.94574`
MD5	`9f3f4797da5c3acc3c538c9ca95aa173`
SHA1	`04488b0d57cdd8c05d8bec1ad19568f1418546f7`
SHA256	`763d5e682f7cb1221ba6a801707991387b38b1688a099514173021dd83f68f68`
SHA3	`cb24cc4759793973f75005aa6e5520abe080efeb3e64aaffc258833f0250cdb0`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.27094`
MD5	`107be5fe1d95a696e392fbd28e05189d`
SHA1	`09ff3882a3c448582f3c1732247b8f13612419a3`
SHA256	`7ce896be56a7ed9baa3f5d83ffb062fcc4e96e83780163efb461146bf59d4a11`
SHA3	`49a2ac52db50ebd3647d1cd8499ec26e22062cf69e9c805e26331dd955ad4579`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.83292`
MD5	`c54c5a66468ec6d510e5f7bcb24dd8a1`
SHA1	`e2fdb65241a3193bd7382b0e0cc419a8c24ef128`
SHA256	`b3629ec8763e23389e624874c7675b633125b7c5e7cbb8d4c5296643c2a3af52`
SHA3	`2925aa3b243d3af716f17668634573e8bd7481f384254a4cb528c93ec2048ada`

3D047D4C5C1AAAA292AC42606EFB467CFE1F54C9

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xd`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.70044`
MD5	`08408174b359ee2d19b5f30135f03067`
SHA1	`da99408b6631bb8a77ac931d592560bb6eacae42`
SHA256	`f0a1666eeae02f75061af872b937dd953b15d6965f79a0231fb7007d7720d02a`
SHA3	`84450b34efc143fe64a8415d4ca754a07dee65d8055a6d81911222ffd4cda49d`

4A5EC8E7AA6DF95A48CD26F032FAB113

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x27`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.18284`
MD5	`0e3c34c73c04ca093df2560a45b18aab`
SHA1	`f5fc9654e4668f7abb53437806b757c5c6813674`
SHA256	`3c9f64c6e81d91b1d7c9afab0d1c484c58ec892773b1988364558e1307deb47f`
SHA3	`91e0dba0a4ffd23bc715e27fd33fbeb515e6b36f1bff8de0d5832c363022104d`

A794C755A7

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

C1E983372BC0A95ADB468E9D44D1D7B8

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23593`
MD5	`7bb55e591962edd967c9a3039407256c`
SHA1	`e84642313805d66ef70fdada202992d040a1c2cc`
SHA256	`8fcbd3ba77d0af716d0b3f342b877539512ba665a6c5ad7999a531bff05a6a91`
SHA3	`116f25e12adcabbb7a50c5223cf85536391d06d1114f226b2e5d018f6907ff91`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.79908`
Detected Filetype	Icon file
MD5	`8b9cb9e6a85b22f9fafa350b91991b47`
SHA1	`24d652f23fa76535241907029da27e3dadedf82b`
SHA256	`a03f5468de0c7f1165d0f8b12339fb9bf2355617fd63a17746776191df98ca01`
SHA3	`b09f8d140c2dfcce0589f9b02b4ea5c6a6c73283eb22cf2f136fedda899d7310`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x267`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.90544`
MD5	`4e2ee33c354e5aff254814592a935dd3`
SHA1	`059023c6baf2e13e5b77a51b8348b551e92c72d5`
SHA256	`e740f847bcb93ac2af26fa0b6666dfdf74a32f167cb04608e558b8ea4568cdf7`
SHA3	`482ae796d6566ab40baace9acd3b17fe3ad863603d351ab89930e4992f9ccae5`

Version Info

TLS Callbacks

Load Configuration

RICH Header

1d63b195bd38cad51d7eea718c9d228d

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.code

.text

.rdata

.pdata

.data

.rsrc

Imports

Delayed Imports

1

2

3

4

5

6

3D047D4C5C1AAAA292AC42606EFB467CFE1F54C9

4A5EC8E7AA6DF95A48CD26F032FAB113

A794C755A7

C1E983372BC0A95ADB468E9D44D1D7B8

1 (#2)

1 (#3)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors