Manalyze report for 2bfd86f869a091400d1d6258deb6040cd0003883c9dd09dc3f8abef572a09c60

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata` `Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread`
Info	The PE is digitally signed.	`Signer: *.ifixit.com` `Issuer: Amazon RSA 2048 M01`
Malicious	VirusTotal score: 30/70 (Scanned on 2026-06-08 23:23:23)	`AVG: Win64:Evo-gen [Trj]` `AhnLab-V3: Trojan/Win.Generic.R777921` `Alibaba: Backdoor:Win64/Kryptik.b132bef7` `Avast: Win64:Evo-gen [Trj]` `Avira: TR/W64.Evo` `Bkav: W32.Malware.FF53D145` `CTX: exe.trojan.kryptik` `CrowdStrike: win/malicious_confidence_70% (W)` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `ESET-NOD32: WinGo/Kryptik.TG trojan` `Elastic: malicious (high confidence)` `F-Secure: Trojan.TR/W64.Evo` `Fortinet: W64/Kryptik.TG!tr` `Google: Detected` `Kaspersky: UDS:Backdoor.Win64.Gsb.gen` `Lionic: Trojan.Win32.Gsb.m!c` `Malwarebytes: Malware.AI.4044120996` `McAfeeD: ti!2BFD86F869A0` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Rising: Backdoor.Gsb!8.1DB49 (CLOUD)` `Sangfor: Trojan.Win64.Kryptik.Vhzx` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Win32.Trojan.FalseSign.Swhl` `TrellixENS: Artemis!FC39E08334FA` `Varist: W64/Agent.MCL.gen!Eldorado` `alibabacloud: Backdoor:Multi/Sabsik.ET` `huorong: Trojan/Loader.sh`

Hashes

MD5	`fc39e08334fa9061a734418eade538f0`
SHA1	`5e53eb112dda0105b222dfc95dd78bd6658a26af`
SHA256	`2bfd86f869a091400d1d6258deb6040cd0003883c9dd09dc3f8abef572a09c60`
SHA3	`164743c0ae81470bc3621b5ca20d486bc7b10b92088de4afdc8f0d05b3d610f2`
SSDeep	`24576:wyy8uYp5q3bN9Fpdphd79nT5esQ2NcZUQn0rMWO/nBele7tKDyi4rO:wyyZYp8bHdDd79n4sQ2MUQ0rMrnI`
Imports Hash	`d42595b695fc008ef2c56aabd8efd68e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x1f1200`
NumberOfSymbols	`2708`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0xade00`
SizeOfInitializedData	`0xf000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000720E0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x25c000`
SizeOfHeaders	`0x600`
Checksum	`0x91cd79`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`00e75c1c94ca550d80a6510f34839ff8`
SHA1	`9211a89fa9f7ef90eb91e5ec069bde8eb73ae70c`
SHA256	`15808c67c61bbe8d84d0f7a2b8f5fee152d90449d27017d980308ec8b5c36faa`
SHA3	`4c8e2f9f5b84d730b7077e6f27d6c42d7ae7f4f93c9f8f3d8f4e2b1d3e5984cf`
VirtualSize	`0xaddf1`
VirtualAddress	`0x1000`
SizeOfRawData	`0xade00`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.24483`

.rdata

MD5	`452cfdd5d3865446ef96ff9f4b16e260`
SHA1	`dc06d61c5678e79ef4a5b680d518448e71610ea3`
SHA256	`469192f0b70486b6d563c7d387796b98bbaffc7d31ab2cb0684f1b49ce4375c5`
SHA3	`cf74cb1e1f694a22ec5b1a96cf61fb4f2f0be5afcc36fe9c3aa64748b392d4b3`
VirtualSize	`0x12a570`
VirtualAddress	`0xaf000`
SizeOfRawData	`0x12a600`
PointerToRawData	`0xae400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.42689`

.data

MD5	`353f32cd582443dc7e38d7ec96d49ce1`
SHA1	`cd9927e3c9672b8c75254840f13c0e5e25295f6d`
SHA256	`6c5ee75fa0d8307226e4e4433b072eda2693fa84c1f1023e92f58eaa17a72ad7`
SHA3	`4de45217b30e946eec5c3d3faf2efed47f47b5e99065da49c5d5aa68b820208f`
VirtualSize	`0x58348`
VirtualAddress	`0x1da000`
SizeOfRawData	`0xf000`
PointerToRawData	`0x1d8a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.5481`

.pdata

MD5	`867eeccd835c45a5756b72474ba5a2f8`
SHA1	`ae701d5e951c440717e82b8aef6b477b55b1ef23`
SHA256	`be559a49550a73aef694e61b10040fa3cecb308d828d5949ca0217e226c934ae`
SHA3	`140f5ed8d02da7c7a6b4fd11fa0cf649b521673866350ec4de79ab97122faac0`
VirtualSize	`0x4fd4`
VirtualAddress	`0x233000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x1e7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.22051`

.xdata

MD5	`99a1cabbb4ac1833f3f44a6eb88b1928`
SHA1	`f429a2368b71bc276faf192160aa9a8dcb75bad5`
SHA256	`0b4d588f31bf3563274a1fd4124946bf2254cb7eb385f10f25efd90813c0468d`
SHA3	`2bb039373b18db576063bdea990aa5591083e05cf0195c5b5b6d0a3b3a84a98f`
VirtualSize	`0xb4`
VirtualAddress	`0x238000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1eca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.78321`

.idata

MD5	`6a247d04db21fdd0fb0a8f6072d8b504`
SHA1	`5608f8c3b98c2b5fb9bfaf4646a7fbfeebb8b83b`
SHA256	`850d8d3256fd39fee01bee07b4535ca1569a776d671adba8b70931f424042056`
SHA3	`37d52eda3d17329787ff8835f422c6a61db3fc44bf571002b0d8238b5fc76d95`
VirtualSize	`0x53e`
VirtualAddress	`0x239000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1ecc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.01719`

.reloc

MD5	`eb5b4b1bb55aadd22b8fefd5b0db86f6`
SHA1	`fbb4e6656462d9728601d2ebc4eb6bfc0295d449`
SHA256	`cf40367d735f6300c105b778d1804c5425d56f92d44d90495589b03ab756d740`
SHA3	`aad23bc5e12c577f42513e72316cf687c47f1dd98aec6d7630f0ecad1de77929`
VirtualSize	`0x3f2c`
VirtualAddress	`0x23a000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x1ed200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.42327`

.symtab

MD5	`c286a10da4afddd8a990c76d44b3d92b`
SHA1	`77054fd0cc2e530774cc0ddb486c122b42661a67`
SHA256	`7ee3b58eadda37a472ebfc8981b9e058ebefc5da93ee92ed22b846e9cf0220ef`
SHA3	`4540d8b8c7aac65b9d633ed9836a8c950318f10afd82bb09874307789c7e7b7e`
VirtualSize	`0x1d041`
VirtualAddress	`0x23e000`
SizeOfRawData	`0x1d200`
PointerToRawData	`0x1f1200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.07671`

Imports

kernel32.dll	`WriteFile` `WriteConsoleW` `WerSetFlags` `WerGetFlags` `WaitForMultipleObjects` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `TlsAlloc` `SwitchToThread` `SuspendThread` `SetWaitableTimer` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `ResumeThread` `RaiseFailFastException` `PostQueuedCompletionStatus` `LoadLibraryW` `LoadLibraryExW` `SetThreadContext` `GetThreadContext` `GetSystemInfo` `GetSystemDirectoryA` `GetStdHandle` `GetQueuedCompletionStatusEx` `GetProcessAffinityMask` `GetProcAddress` `GetErrorMode` `GetEnvironmentStringsW` `GetCurrentThreadId` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateWaitableTimerExW` `CreateThread` `CreateIoCompletionPort` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler` `AddVectoredContinueHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Yara callback received an unhandled message (6).

Leave a comment

No comments yet.