1f8c1bc11832f3c2622e3658356c9cdd

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 1970-Jan-01 00:00:00
TLS Callbacks 1 callback(s) detected.

Plugin Output

Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Unusual section name found: UPX2
The PE only has 7 import(s).
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Malicious VirusTotal score: 8/71 (Scanned on 2023-05-13 18:42:54) APEX: Malicious
Cybereason: malicious.c59190
Cynet: Malicious (score: 100)
MaxSecure: Trojan.Malware.300983.susgen
McAfee-GW-Edition: BehavesLike.Win64.Generic.kc
Paloalto: generic.ml
Sophos: Generic ML PUA (PUA)
Trapmine: malicious.moderate.ml.score

Hashes

MD5 1f8c1bc11832f3c2622e3658356c9cdd
SHA1 9787bb3c59190e124be918e64d1dd382fe0e714b
SHA256 e4695f2c2c872daa8b8b07e3b1d2412d9dc17f344f48f964d8c5b8dcaac9e170
SHA3 e99e7ce5a01fb02cebdae1cad3a46a9c87fd66170d8970a300b61c6c63cfc55f
SSDeep 1536:dBIIWhMvraunopEQsajTDXFWs7PWddvqPxsG3jn:xrgpEQdHXlizvqJs
Imports Hash e21e17ff820bc123b050075aae0d0a6b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 3
TimeDateStamp 1970-Jan-01 00:00:00
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 2.0
SizeOfCode 0x11000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x3e000
AddressOfEntryPoint 0x000000000004E6C0 (Section: UPX1)
BaseOfCode 0x3f000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x51000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x3e000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 bd730e550ef2b011968808f225c9ccdb
SHA1 f62953d745cdf0645a194d2c3ba9f1f41ad56d7f
SHA256 7e2524e1f9e90d96038488535290ac476f98de6a6b43994698feb26c5218df2e
SHA3 ce6e808c675d6d0654c10e31ad3f244228d1628b67772644e223e70dd7977c21
VirtualSize 0x11000
VirtualAddress 0x3f000
SizeOfRawData 0x10400
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.98178

UPX2

MD5 f70937fd4f0b911ba6e64e9c0114eb25
SHA1 686f3547214bccebe3e1ce6908a9d04cb8f4b9b8
SHA256 4b7876f3f0826d2b7d805aaa59ff6ce7d3889f9bc2f445d52dfae0cff586ef26
SHA3 6c2ed682806f6e4af2c1e1c6c422883f9fb0eb6bdf3672a30d17b12777cb620b
VirtualSize 0x1000
VirtualAddress 0x50000
SizeOfRawData 0x200
PointerToRawData 0x10600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.17874

Imports

KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
msvcrt.dll exit

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData 0x44f2d0
EndAddressOfRawData 0x44f330
AddressOfIndex 0x44983c
AddressOfCallbacks 0x44f330
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x000000000044F27E

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!
<-- -->