29bdf43af7fce4a48a4699f01ba35a9d23ec72109f9a8d59b84788610066b715

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Apr-07 14:30:54
Detected languages English - United States
Debug artifacts C:\Users\tha8b\OneDrive\Desktop\new injectors\MW2019 AIO DEV LOADER - Copy\x64\Release\zim.pdb

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • %temp%
  • CurrentControlSet\Services
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Miscellaneous malware strings:
  • Exploit
 Contains domain names:
  • http://scripts.sil.org
  • http://scripts.sil.org/OFLThis
  • http://scripts.sil.org/OFLwww.inderesting.comAndreas
  • http://www.microsoft.com
  • http://www.microsoft.com/typography/fonts/
  • inderesting.com
  • microsoft.com
  • scripts.sil.org
  • www.microsoft.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExA
  • LoadLibraryW
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Possibly launches other programs:
  • ShellExecuteW
 Manipulates other processes:
  • Process32First
  • Process32Next
Malicious VirusTotal score: 54/70 (Scanned on 2026-04-07 14:09:36) APEX: Malicious
AVG: Win64:MalwareX-gen [Rat]
AhnLab-V3: Trojan/Win.Generic.C5607152
Alibaba: TrojanDropper:Win64/UnwantedX.1d2549c9
Arcabit: Trojan.Generic.D4BF405D
Avast: Win64:MalwareX-gen [Rat]
Avira: TR/Drop.Agent.oltfr
BitDefender: Trojan.GenericKD.79642717
Bkav: W64.AIDetectMalware
CAT-QuickHeal: Trojan.Ghanarava.1732026502593826
CTX: exe.trojan.generic
ClamAV: Win.Malware.Lazy-10034378-0
CrowdStrike: win/malicious_confidence_100% (W)
Cylance: Unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Tool.Inject.78
ESET-NOD32: Win64/TrojanDropper.Agent.GD trojan
Elastic: Windows.Generic.Threat
Emsisoft: Trojan.GenericKD.79642717 (B)
F-Secure: Trojan.TR/Drop.Agent.oltfr
Fortinet: W64/Agent.GD!tr
GData: Trojan.GenericKD.79642717
Google: Detected
Ikarus: Trojan-Dropper.Win64.Agent
K7AntiVirus: Trojan ( 005ceda41 )
K7GW: Trojan ( 005ceda41 )
Kaspersky: Trojan.Win32.Agent.xaxuqi
Kingsoft: Win32.Troj.Unknown.a
Lionic: Trojan.Win32.Agent.Y!c
Malwarebytes: Malware.AI.4284587977
MaxSecure: Trojan.Malware.208681707.susgen
McAfeeD: ti!29BDF43AF7FC
MicroWorld-eScan: Trojan.GenericKD.79642717
Microsoft: Trojan:Win32/Phonzy.A!ml
NANO-Antivirus: Trojan.Win64.Inject.kfqarg
Paloalto: generic.ml
Panda: Trj/Chgt.AD
Rising: Dropper.Agent!8.2F (TFE:5:8Ivdm0XplEG)
Sangfor: Trojan.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Sophos: Mal/Generic-S
Symantec: ML.Attribute.HighConfidence
Tencent: HackTool.Win64.KernelDrUtil.16000463
TrellixENS: Artemis!2CA19D0F12D1
TrendMicro-HouseCall: TROJ_GEN.R002H0AC526
VBA32: Trojan.Agent
VIPRE: Trojan.GenericKD.79642717
Varist: W64/ABRisk.TFNL-6885
ViRobot: Trojan.Win.Z.Agent.2188288
Yandex: Trojan.Agent!9nzn1VYMaBM
Zillya: Dropper.Agent.Win64.8685
alibabacloud: HackTool:Win/KDU.A
huorong: HackTool/Injector.f

Hashes

MD5 2ca19d0f12d1f16f6d08b34c48593826
SHA1 eb8a5beea1177a71a2123d666638233da57146ad
SHA256 29bdf43af7fce4a48a4699f01ba35a9d23ec72109f9a8d59b84788610066b715
SHA3 d9758c010c8a8e3eb5ed4b5a44b38396dccfda9ae9cf0b8127168bf3bcb1e089
SSDeep 49152:MKJhzckSniODlvlLyE/r9NCbm1M7nvUoJC+O93+x:M2zckSniCRCbm1MVCru
Imports Hash d34eed44db328d2e496951f9c30d2670

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2023-Apr-07 14:30:54
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x9c00
SizeOfInitializedData 0x20d000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000009A90 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x21a000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f97bcd79a6f8ef39aaa7188c36804f31
SHA1 2975dc8e4d465b5de969fef4bbba99d22a0fc303
SHA256 2b15427144d8cbe8bc010d921fc636e635a8d84d28d953317f5062175b617d3c
SHA3 39661101f8e0fa669c24719d6d5d269ea14f8da4612156edf9131607a22c2fba
VirtualSize 0x9bff
VirtualAddress 0x1000
SizeOfRawData 0x9c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.36525

.rdata

MD5 c2136918d24eaf17973da2cc0f211090
SHA1 c4bb51d42b4d667438935b9b82ea823fd74a9352
SHA256 ac129c10b0ef1a10ba9ad95b65dba53025cbf13a1e20a57f8acdc4852da8e29d
SHA3 999c64731b9ca8eeaa599a37738e056c8508aa3e1bc23b968e548f88cefdacd0
VirtualSize 0x1c2cdc
VirtualAddress 0xb000
SizeOfRawData 0x1c2e00
PointerToRawData 0xa000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.57188

.data

MD5 c00e52db8ad26e2a8c8928dfcc4c0b09
SHA1 003fe49e101c7c24b0dc289103b0d09159ba924b
SHA256 992968b89890a8a9d9d6d2477d170b3c014e1a2dff9342cece69c3f4b3fe3106
SHA3 44b16b725fbab74d80bab7369d29a058e434baa4126b1b1836cb81938c429e2f
VirtualSize 0x45670
VirtualAddress 0x1ce000
SizeOfRawData 0x44c00
PointerToRawData 0x1cce00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.91566

.pdata

MD5 174f63895cee1bc7883c666b518aa6b2
SHA1 06b176744c4b549203c1481f7cfb810151e1ebcc
SHA256 e04494b536ab1083a4f8ff9384b91df9d6620c81f9bb944925b30083436de241
SHA3 ce6b7d8d19ea23f90d0eb9a8d02e8b6f7f5f0830a221e86c0c6fc55c3de7205e
VirtualSize 0x888
VirtualAddress 0x214000
SizeOfRawData 0xa00
PointerToRawData 0x211a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.23436

.rsrc

MD5 10c2cff46b6e9779d0456ed658cd6203
SHA1 0e1320557f2e8541aa90bf84a5afce6d9ea55140
SHA256 0099ae86a506248f7b701052cde819d7418590ff6a674d10dd838f2c60340a31
SHA3 e1a70795bb0f0d59012771988ccf29f165a0c5fdfed5c33c15fb572bfe9e050b
VirtualSize 0x3dc0
VirtualAddress 0x215000
SizeOfRawData 0x3e00
PointerToRawData 0x212400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.56157

.reloc

MD5 8cca447937c5750887b570c80a9e1489
SHA1 57f73014ca7bad2dc909e6fc7c93f48c781fd791
SHA256 c4795dc2067c8aecf98e314b33645176a8076c79dac2306b04d37cc573a0194d
SHA3 dfd7ba598026354f8922826106ece025d4524b19964d432e8e5740516371c299
VirtualSize 0x8c
VirtualAddress 0x219000
SizeOfRawData 0x200
PointerToRawData 0x216200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 1.8755

Imports

KERNEL32.dll ReadFile
WriteFile
Beep
GetLastError
Sleep
GetCurrentProcess
GetWindowsDirectoryW
VirtualAlloc
VirtualFree
FreeLibrary
GetProcAddress
LoadLibraryExA
GetFileSize
LoadLibraryW
CreateToolhelp32Snapshot
Process32First
Process32Next
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
DeleteFileW
DeviceIoControl
CloseHandle
LoadLibraryA
CreateFileW
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InitializeSListHead
USER32.dll IsWindowVisible
PostThreadMessageA
GetWindowThreadProcessId
GetWindow
EnumWindows
UnhookWindowsHookEx
SetWindowsHookExA
SHELL32.dll ShellExecuteW
MSVCP140.dll ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
ntdll.dll RtlLookupFunctionEntry
RtlCaptureContext
RtlImageNtHeader
RtlVirtualUnwind
VCRUNTIME140.dll __current_exception
__C_specific_handler
__std_exception_copy
memcmp
__std_terminate
memset
memmove
memcpy
_CxxThrowException
__std_exception_destroy
__current_exception_context
VCRUNTIME140_1.dll __CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll _initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_invalid_parameter_noinfo_noreturn
_initialize_narrow_environment
_set_app_type
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_seh_filter_exe
exit
terminate
api-ms-win-crt-string-l1-1-0.dll _stricmp
strcpy_s
api-ms-win-crt-heap-l1-1-0.dll _set_new_mode
free
malloc
_callnewh
api-ms-win-crt-stdio-l1-1-0.dll __p__commode
_set_fmode
api-ms-win-crt-utility-l1-1-0.dll rand
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.27619
MD5 665f5b0319847bfbd3395f6e83a009d4
SHA1 ac9f11830e4fb889563e0a67e56202c020576451
SHA256 6a1296a2d63f73a2fe4fa7c5f2ea43eaf256a764404aac4bfb3787fff89e9849
SHA3 17fb549dfa40652b485c974c334b64d234737180462735733e133f3d55896652

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.7207
MD5 79f9d188b27df57a086640e7698ae7d5
SHA1 9d16add8096aaa65e24f2635a6a354da05cbc040
SHA256 6265b2754fee8547af45d92d00c63e3dc4ebf34944339b91c4869481dcb0cc61
SHA3 70ad4d1484d5cdbaa6e26c294383e9868d1afa273c5ed1e28ecbc235ecfdf1bb

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.12456
MD5 9c29ccbfe8950182fca5c6a55048a866
SHA1 7ff867f5f7283dcb81d8abc8fee19041fd4a7ee0
SHA256 d78e44d018b8b14012e90d7f97be21284b2cb19336b20c268a7d4b14633c454c
SHA3 65824d68a6553b921f7690947abb3795bda852ef78fe4c675b32440b0a4e9f35

102

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x30
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.45849
Detected Filetype Icon file
MD5 409e1724611e0bc39356e2f58888db55
SHA1 c06c0e66cc2f7956256e2f018aa0294bfa914960
SHA256 6ab18c3b81a5d30c5a190a4504cae807d73b1a4d02d56ffddf641abbb62b7210
SHA3 315b2ad40793f4ef885ff4c878169b02c62f619b57780a98a76c8538cd0ee5c9

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89623
MD5 b8e76ddb52d0eb41e972599ff3ca431b
SHA1 fc12d7ad112ddabfcd8f82f290d84e637a4d62f8
SHA256 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
SHA3 37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2023-Apr-07 14:30:54
Version 0.0
SizeofData 119
AddressOfRawData 0x1cbaa4
PointerToRawData 0x1caaa4
Referenced File C:\Users\tha8b\OneDrive\Desktop\new injectors\MW2019 AIO DEV LOADER - Copy\x64\Release\zim.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2023-Apr-07 14:30:54
Version 0.0
SizeofData 20
AddressOfRawData 0x1cbb1c
PointerToRawData 0x1cab1c

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2023-Apr-07 14:30:54
Version 0.0
SizeofData 932
AddressOfRawData 0x1cbb30
PointerToRawData 0x1cab30

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2023-Apr-07 14:30:54
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x1401cbef8
EndAddressOfRawData 0x1401cbf00
AddressOfIndex 0x1402130b0
AddressOfCallbacks 0x14000b4c0
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140212b08

RICH Header

XOR Key 0x9b8b3503
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 18
Imports (2207) 2
253 (VS2022 Update 4 (17.4.2) compiler 31935) 1
C objects (VS2022 Update 4 (17.4.2) compiler 31935) 10
ASM objects (VS2022 Update 4 (17.4.2) compiler 31935) 3
C++ objects (VS2022 Update 4 (17.4.2) compiler 31935) 31
Imports (VS2022 Update 4 (17.4.2) compiler 31935) 6
Imports (29395) 13
Total imports 194
C++ objects (VS2022 Update 5 (17.5.3) compiler 32216) 5
Resource objects (VS2022 Update 5 (17.5.3) compiler 32216) 1
151 1
Linker (VS2022 Update 5 (17.5.3) compiler 32216) 1

Errors

Leave a comment

No comments yet.