297180aa16e9b2dc686fe4dbbd514effad32bbcded01c8e8929a4cf277e1878a

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2026-Apr-12 02:53:08
Detected languages English - United States
TLS Callbacks 1 callback(s) detected.

Plugin Output

Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCloseKey
 Possibly launches other programs:
  • ShellExecuteA
 Has Internet access capabilities:
  • InternetOpenA
 Leverages the raw socket API to access the Internet:
  • WSAStartup
 Can take screenshots:
  • BitBlt
  • GetDC
Malicious VirusTotal score: 9/72 (Scanned on 2026-04-13 16:40:37) CrowdStrike: win/malicious_confidence_100% (D)
Cylance: Unsafe
DeepInstinct: MALICIOUS
Elastic: malicious (moderate confidence)
Kaspersky: UDS:Trojan-Downloader.Win32.Agent.xydqyf
Malwarebytes: Malware.AI.1545055809
Microsoft: Trojan:Win32/Wacatac.C!ml
SentinelOne: Static AI - Suspicious PE
Symantec: ML.Attribute.HighConfidence

Hashes

MD5 40ade8cb3ef01fa67eab266ee8e8d314
SHA1 6847bf3263e472492922a078bbbb1ee20bf87f86
SHA256 297180aa16e9b2dc686fe4dbbd514effad32bbcded01c8e8929a4cf277e1878a
SHA3 5c1eeb01d0a3cc483ddb66a14f7f3213cada24103aa3c62529c48b2705cd59ae
SSDeep 3072:3Gmbz4ksSiVz12DYORh1BaGeIGc+J/uapJ/Hc31xknl:Wmb8kUfhq6P9Eazvize
Imports Hash 4a4996f7e93e20c19aa72d2b66e47a92

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 3
TimeDateStamp 2026-Apr-12 02:53:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32+
LinkerVersion 2.0
SizeOfCode 0x22000
SizeOfInitializedData 0x12000
SizeOfUninitializedData 0x185d000
AddressOfEntryPoint 0x000000000187E760 (Section: UPX1)
BaseOfCode 0x185e000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x1892000
SizeOfHeaders 0x200
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x185d000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 37a58a4a656f4f881a4d6e54b8226a12
SHA1 c0c913a0e6a5f6b06e5865bdefa998cc24fa7389
SHA256 1c91e8ce09b461ded16915d2688a7836676f621d188e6f66d5fefe2803b93aed
SHA3 5f97704ee78bc0a5663d090fcdfeab6c42ab866d1e87ab842b7fcb2fef2c0315
VirtualSize 0x22000
VirtualAddress 0x185e000
SizeOfRawData 0x21400
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99511

.rsrc

MD5 f445671a0fd815b70f8afaf7b50caf6c
SHA1 3346f10be8554dda1801afb95f10e012292d7e96
SHA256 19e77c76b93e173d21927ba9457e3b6b0375c80f536b6e8cc8770d2ecf94baa9
SHA3 254e8675a39fe0f203d1efc8b955f3857dca2ba15f084be0ad4fbc878c9f22fa
VirtualSize 0x12000
VirtualAddress 0x1880000
SizeOfRawData 0x11200
PointerToRawData 0x21600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.4861

Imports

ADVAPI32.dll RegCloseKey
api-ms-win-crt-conio-l1-1-0.dll _getch
api-ms-win-crt-convert-l1-1-0.dll atoi
api-ms-win-crt-environment-l1-1-0.dll getenv
api-ms-win-crt-filesystem-l1-1-0.dll remove
api-ms-win-crt-heap-l1-1-0.dll free
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll pow
api-ms-win-crt-private-l1-1-0.dll memcmp
api-ms-win-crt-runtime-l1-1-0.dll exit
api-ms-win-crt-stdio-l1-1-0.dll feof
api-ms-win-crt-string-l1-1-0.dll memset
api-ms-win-crt-time-l1-1-0.dll clock
api-ms-win-crt-utility-l1-1-0.dll rand
GDI32.dll BitBlt
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
SHELL32.dll ShellExecuteA
USER32.dll GetDC
WININET.dll InternetOpenA
WS2_32.dll WSAStartup

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x10898
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.37555
MD5 4d91e714c6a434f7bcfe02510d4b375b
SHA1 087018c667147bcc44bfac299cc7564646be6918
SHA256 afad580848f699ed1a1bc0314233a66606d1bc6d23f7ec360d8c261d21990512
SHA3 0d5dcab8c33d69cae7599f42a57c036d1fe4071d10025dd89a0208dd955fdf1d

1 (#2)

Type RT_GROUP_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.98048
Detected Filetype Icon file
MD5 394db8438b48db5893d9761d2fbd0703
SHA1 198060a51127add501a2ff582a73b0fd51db2f55
SHA256 83b2f7c6ddb1a8851b7c75d7aac6358c5aa8dbaf987c43dee3de24a7eeb4e586
SHA3 6bf5bb68855ef9e4eac75c053f399e27e9d5cb7bc492abdebe2e4207a1bb2d67

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x185
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.87566
MD5 7def5c4427fbc6790c8702d1f09702b0
SHA1 27a0fb50dcc3c65515d89868acbca85b75e685d4
SHA256 3d8525da7d16c956a051fda844de190eda4bf1373627f39261d4ac372acaf8db
SHA3 a9da15a63d4a4252a3cb4a8262f66898fa2f06b7fe039f5d3a200a9ac7818466

Version Info

TLS Callbacks

StartAddressOfRawData 0x14187f3b0
EndAddressOfRawData 0x14187f3b8
AddressOfIndex 0x1418652ac
AddressOfCallbacks 0x14187f3b8
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks 0x000000014187F362

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!
Leave a comment

No comments yet.