Manalyze report for a21b5212b6048b2a0c74e98914c7960b4a57bdd068dd3b21212f12d9e4a63b1a

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Oct-24 21:08:43
Detected languages	English - United States

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .cQI0` `Unusual section name found: .cQI1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: FindWindowA` `Possibly launches other programs: ShellExecuteA` `Uses Microsoft's cryptographic API: CryptEncrypt CryptDecodeObjectEx` `Leverages the raw socket API to access the Internet: getsockname`
Malicious	VirusTotal score: 47/67 (Scanned on 2022-06-30 17:21:18)	`Lionic: Trojan.Win32.Mansabo.4!c` `tehtris: Generic.Malware` `Cynet: Malicious (score: 100)` `FireEye: Generic.mg.239489303e12c57e` `ALYac: Trojan.GenericKD.39160790` `Malwarebytes: Trojan.TrickBot` `Sangfor: Trojan.Win32.Mansabo.gzx` `K7AntiVirus: Trojan ( 0058cdab1 )` `Alibaba: Trojan:Win32/Mansabo.5ae8a7e9` `K7GW: Trojan ( 0058cdab1 )` `Cybereason: malicious.2f7430` `Cyren: W64/ABRisk.FJJD-7122` `Symantec: Trojan.Gen.2` `Elastic: malicious (high confidence)` `ESET-NOD32: a variant of Win64/Packed.VMProtect.L suspicious` `TrendMicro-HouseCall: TROJ_GEN.R002H07CA22` `Paloalto: generic.ml` `Kaspersky: Trojan.Win32.Mansabo.gzx` `BitDefender: Trojan.GenericKD.39160790` `NANO-Antivirus: Trojan.Win64.Mansabo.jpcayw` `MicroWorld-eScan: Trojan.GenericKD.39160790` `Ad-Aware: Trojan.GenericKD.39160790` `Sophos: Mal/Generic-S` `Zillya: Trojan.Mansabo.Win32.2234` `McAfee-GW-Edition: BehavesLike.Win64.Backdoor.tc` `Trapmine: suspicious.low.ml.score` `Emsisoft: Trojan.GenericKD.39160790 (B)` `GData: Trojan.GenericKD.39160790` `Jiangmin: Trojan.Mansabo.cgo` `Webroot: W32.Trojan.Gen` `Avira: TR/Agent.achv` `Gridinsoft: Trojan.Heur!.02292423` `Arcabit: Trojan.Generic.D2558BD6` `ZoneAlarm: Trojan.Win32.Mansabo.gzx` `Microsoft: Trojan:Win32/Sabsik!ml` `McAfee: Artemis!239489303E12` `MAX: malware (ai score=83)` `VBA32: Trojan.Mansabo` `Cylance: Unsafe` `APEX: Malicious` `Rising: Trojan.Mansabo!8.E80A (CLOUD)` `Yandex: Trojan.Mansabo!z330kvJyPTc` `SentinelOne: Static AI - Malicious PE` `MaxSecure: Trojan.Malware.300983.susgen` `AVG: Win64:MalwareX-gen [Trj]` `Avast: Win64:MalwareX-gen [Trj]` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`239489303e12c57e299d380063bb916a`
SHA1	`3fbd3572f7430c9eb4531d186a1d42663f7c536d`
SHA256	`a21b5212b6048b2a0c74e98914c7960b4a57bdd068dd3b21212f12d9e4a63b1a`
SHA3	`518d5bc9248397974ed540fb96806d09a6670df47ff1fa7edc88abc1c5bda7e3`
SSDeep	`196608:47njdJxAZSUsstiGAdXFLaTiEqDICgNuR1lcG4bd:sjdzA0UHu2mDxv`
Imports Hash	`39a78e55873eab22cda134a88f647fde`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	2021-Oct-24 21:08:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x236e00`
SizeOfInitializedData	`0x12fe00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000009D867E (Section: .cQI1)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1231000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x236c14`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc4b1c`
VirtualAddress	`0x238000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x3de24`
VirtualAddress	`0x2fd000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x15e58`
VirtualAddress	`0x33b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

_RDATA

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xf4`
VirtualAddress	`0x351000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.detourc

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x2170`
VirtualAddress	`0x352000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.detourd

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x18`
VirtualAddress	`0x355000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.cQI0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5959e4`
VirtualAddress	`0x356000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.cQI1

MD5	`9a021e3f656a458d776e6d3e4de84ece`
SHA1	`58e2ce7ff7003629be7449b3f8b6614c2b1b13dd`
SHA256	`5dbb917c762272b5a162e41634bbcc851f3c8081542a7bcff889ca42de3eea5b`
SHA3	`59f2b05132bfedea11cdfffb6edf96dc68a8c8fbf792513f1c6af7d91fe1bd8d`
VirtualSize	`0x935954`
VirtualAddress	`0x8ec000`
SizeOfRawData	`0x935a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.95896`

.rsrc

MD5	`161beb46270b665ba08b70f33daa5899`
SHA1	`a3c172e8fc70a1fb1c6ca928dcf8a63ce36eb25f`
SHA256	`de931bd3899e33b2872af3219dc91ef834bd74f7518fd3f7b647cc86135f01ff`
SHA3	`8da7b028d5bbee876e2ed12e62728cc26fd3cf44dd8477500ca974d20f211372`
VirtualSize	`0xe917`
VirtualAddress	`0x1222000`
SizeOfRawData	`0xea00`
PointerToRawData	`0x935e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.97973`

Imports

SHLWAPI.dll	`PathCombineA`
IPHLPAPI.DLL	`GetAdaptersInfo`
ADVAPI32.dll	`CryptEncrypt`
USER32.dll	`FindWindowA`
WS2_32.dll	`getsockname`
WLDAP32.dll	`#60`
CRYPT32.dll	`CryptDecodeObjectEx`
Normaliz.dll	`IdnToAscii`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
KERNEL32.dll	`ExitProcess`
SHELL32.dll	`ShellExecuteA`
IMM32.dll	`ImmGetContext`
D3DCOMPILER_47.dll	`D3DCompile`
XINPUT1_4.dll	`#2`
GDI32.dll	`CreateSolidBrush`
ntdll.dll	`RtlCaptureContext`
bcrypt.dll	`BCryptGenRandom`
KERNEL32.dll (#2)	`ExitProcess`
USER32.dll (#2)	`FindWindowA`
KERNEL32.dll (#3)	`ExitProcess`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xe5e6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98912`
Detected Filetype	PNG graphic file
MD5	`d5841c1447420d17e0b58aa8532225fd`
SHA1	`4bbaaeec004f9cd281062fa44a836561585d6502`
SHA256	`78edf4f48c89e5a2e349fa6c4c8546b6782525c24fcca267cc684d01940e8ecc`
SHA3	`e3e056d0c245fce324fcd51168dfed5ba062bfa17904a61bdbadd1143f089b40`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.51664`
Detected Filetype	Icon file
MD5	`4f07c4443587403ff4e521938a0d2f59`
SHA1	`25e33a399b9b99a7e218eda6f2d20902ea7a0a28`
SHA256	`063f0f21e8f6781d3f1aa0433a976dfc0f254766160a2cd3ab3b3f6670e5242e`
SHA3	`aae5853f00f68825462e8fef77145730f591dc5bac0a830b0e028b2f37bbb2c4`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.02293`
MD5	`152bb89e1c983ac83f61f234467ce37b`
SHA1	`80fbd63597a74720f3564b4a285e074e768fd0a8`
SHA256	`c33fffcaf40d812614f14a0a6441a425ab9f0114d82a65072bb4b443cdb23614`
SHA3	`7c63b7dcf97ab61479aabc3f427c03cae0982fd8784546e844e8d1bd0ddb9fca`

Version Info

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1402fef30`

RICH Header

Errors

[!] Error: Could not read the exported DLL name.
[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section _RDATA has a size of 0!
[*] Warning: Section .detourc has a size of 0!
[*] Warning: Section .detourd has a size of 0!
[*] Warning: Section .cQI0 has a size of 0!

Leave a comment

No comments yet.