Manalyze report for 1e4086b9eb64157a48e3832da9e1e25c2549064d5fa24a39510ce7a997d3045e

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	1 callback(s) detected.

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5`
Suspicious	The PE is possibly packed.	`Unusual section name found: ayis` `Section ayis is both writable and executable.` `Unusual section name found: vDx+` `Section vDx+ is both writable and executable.` `Unusual section name found: na*b` `The PE only has 5 import(s).`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Malicious	VirusTotal score: 23/72 (Scanned on 2026-04-17 15:01:17)	`AVG: Win64:Malware-gen` `Avast: Win64:Malware-gen` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: WinGo/ShellcodeRunner_AGen.A trojan` `Elastic: malicious (high confidence)` `Gridinsoft: Trojan.Heur!.032921E3` `Kaspersky: HEUR:Trojan-PSW.Win64.Disco.pef` `Malwarebytes: Malware.AI.3992362867` `MaxSecure: Trojan.Malware.300983.susgen` `McAfeeD: ti!1E4086B9EB64` `Microsoft: Trojan:Win32/Sabsik.EN.A!ml` `Rising: Trojan.Kryptik@AI.91 (RDML:E8vNRpL0ICJgU49XAWkDPw)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Sophos: CXrep/MalGo-B` `Symantec: ML.Attribute.HighConfidence` `TACHYON: Trojan/W64.Agent.4196864.B` `Trapmine: malicious.high.ml.score` `VirIT: Trojan.Win64.Agent.IDU`

Hashes

MD5	`4c4394c3cd784bd42c46cd7885ae84da`
SHA1	`a8191c4f120c4f07e9cffbdc6ccfeb9554f73e73`
SHA256	`1e4086b9eb64157a48e3832da9e1e25c2549064d5fa24a39510ce7a997d3045e`
SHA3	`159adff8f31c77ef73b049e09d42f5c79bcada6d5b223c7ea47081edf205ff3e`
SSDeep	`98304:WL5cMnMvPFKQerVEKqmoKcmHWMJhVOGGu1ytKgFPNt3Y020azhzyYgH8o:OlnMvPFoCKqDHmvHVOGz19Ut3Y5NuY0`
Imports Hash	`9aebf3da4677af9275c461261e5abde3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x401000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0xed000`
AddressOfEntryPoint	`0x00000000004EE170 (Section: vDx+)`
BaseOfCode	`0xee000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`0.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x4f0000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

ayis

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xed000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

vDx+

MD5	`fc087d199587963a6eff842ea24c4a81`
SHA1	`bb175e77630124b6f01a5686921a0403c55d39bb`
SHA256	`02489d5dc9960e561e63ffca8b83ff142fa16bc7e9d1ff0769e995090e9ccf3c`
SHA3	`6b032cde445ddbf0bb4eb41e0d5ab5383cb0f863b81a3dfa8b549b31223bad65`
VirtualSize	`0x401000`
VirtualAddress	`0xee000`
SizeOfRawData	`0x400600`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.81858`

na*b

MD5	`0f080d9c7cb8b195d56bebaa3bc35143`
SHA1	`e4c178f4f730010b3661b90f750909164cf169b3`
SHA256	`ef873a041c57876505e676f44cbc9087318dc60928c79b11c1952a966cf324c9`
SHA3	`8a1cb16f25c38a23a60f2862e4917280fe1257eaf2a5ddebe28eafa4aac0985b`
VirtualSize	`0x1000`
VirtualAddress	`0x4ef000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.90615`

Imports

KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
msvcrt.dll	`exit`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x8ee468`
EndAddressOfRawData	`0x8ee470`
AddressOfIndex	`0x8e219c`
AddressOfCallbacks	`0x8ee470`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x00000000008EE415`

Load Configuration

RICH Header

Errors

[*] Warning: IMAGE_EXPORT_DIRECTORY field Characteristics is reserved and should be 0!
[!] Error: Could not read the exported DLL name.
[*] Warning: Section ayis has a size of 0!

Leave a comment

No comments yet.