Manalyze report for 2c17f6b8b4e83195a012676f0423418b

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Oct-25 21:51:09
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with VMProtect	`Unusual section name found: .vmp0` `Unusual section name found: .vmp1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress`
Malicious	VirusTotal score: 45/71 (Scanned on 2020-11-14 09:02:15)	`MicroWorld-eScan: Trojan.GenericKD.44216175` `FireEye: Generic.mg.2c17f6b8b4e83195` `CAT-QuickHeal: Trojan.Wacatac` `McAfee: Artemis!2C17F6B8B4E8` `Cylance: Unsafe` `Zillya: Trojan.VMProtect.Win64.3538` `AegisLab: Trojan.Win32.Generic.4!c` `Sangfor: Malware` `K7AntiVirus: Trojan ( 0055b8231 )` `Alibaba: Packed:Win64/VMProtect.d1696256` `K7GW: Trojan ( 0055b8231 )` `Cybereason: malicious.69cdb0` `Invincea: Mal/Generic-R + Mal/VMProtBad-A` `Cyren: W64/Trojan.RXLG-2764` `Symantec: Trojan.Gen.2` `APEX: Malicious` `Paloalto: generic.ml` `BitDefender: Trojan.GenericKD.44216175` `Avast: Win64:Trojan-gen` `Ad-Aware: Trojan.GenericKD.44216175` `Sophos: Mal/VMProtBad-A` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: TROJ_GEN.R002C0RJT20` `McAfee-GW-Edition: BehavesLike.Win64.Generic.tc` `Emsisoft: Trojan.GenericKD.44216175 (B)` `GData: Trojan.GenericKD.44216175` `eGambit: Unsafe.AI_Score_98%` `Avira: HEUR/AGEN.1138341` `MAX: malware (ai score=83)` `Arcabit: Trojan.Generic.D2A2AF6F` `ViRobot: Trojan.Win32.Z.Agent.5942272.A` `Microsoft: Trojan:Win32/Ymacco.AA6E` `Cynet: Malicious (score: 100)` `AhnLab-V3: Trojan/Win32.Wacatac.C4205433` `ALYac: Trojan.GenericKD.44216175` `TACHYON: Trojan/W64.Agent.5942272` `ESET-NOD32: a variant of Win64/Packed.VMProtect.IH` `TrendMicro-HouseCall: TROJ_GEN.R002C0RJT20` `Ikarus: Trojan.Win64.Vmprotect` `MaxSecure: Trojan.Malware.109283778.susgen` `Fortinet: W32/VMProtBad.A!tr` `Webroot: W32.Trojan.Gen` `AVG: Win64:Trojan-gen` `CrowdStrike: win/malicious_confidence_90% (W)` `Qihoo-360: Generic/HEUR/QVM202.0.D9C7.Malware.Gen`

Hashes

MD5	`2c17f6b8b4e83195a012676f0423418b`
SHA1	`4c421ab69cdb08c827ca2dcadde196fb1a9c89b3`
SHA256	`6e8b9864076efdce4ddf68eba70a357590acd274f6c9c778ae2d389d4d883834`
SHA3	`5e6dab6b754b88bf6ae52f293b3b5c31f16c2e3b3a3c8ee5258eec71937277bb`
SSDeep	`98304:0qUNIL6n8BJ5deM7b4rTWJwuHHfNnRX0AECEqqb:jUmWnsJXdn4/WJ7/wAECRqb`
Imports Hash	`6cb864a0443cbaf96118645f17600a71`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2020-Oct-25 21:51:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x110a00`
SizeOfInitializedData	`0x56a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000004ED2CE (Section: .vmp1)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xa7e000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1108a8`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x41546`
VirtualAddress	`0x112000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x65d8`
VirtualAddress	`0x154000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xcea0`
VirtualAddress	`0x15b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

_RDATA

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x94`
VirtualAddress	`0x168000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.vmp0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x367281`
VirtualAddress	`0x169000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

.vmp1

MD5	`c000ba5aaddf6942683acb76c6260b52`
SHA1	`850b35edd1a700b70d832c6f4336dc7585d02779`
SHA256	`e444202b77aed64615fcc7074927b257c43aee7c8d256502df9afb87bc5790fd`
SHA3	`4328a8062241923898eb117227638f572eea8068b2dfcd39d3b60407ef1ac212`
VirtualSize	`0x5aa33c`
VirtualAddress	`0x4d1000`
SizeOfRawData	`0x5aa400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.91063`

.reloc

MD5	`23d363612554c8ccb3b0c38690ed4ae9`
SHA1	`e49448ffcd25f8fef4944a30da1eb458e0312cc2`
SHA256	`0045757fc97ecef330929ac67e8ab7073bdd0b3747aaaa0514a3f607523093c8`
SHA3	`6f2bfe9b76a944b99df4c6a1ef5532f7581373b5be5dbdda03ef8a01fc0e74fc`
VirtualSize	`0xb0`
VirtualAddress	`0xa7c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5aa800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.70004`

.rsrc

MD5	`257091449dfd73c67db262a1b5601279`
SHA1	`9795ff881d9b649f917b941393a02064a76eac99`
SHA256	`20d6325b5aaebc22aa4a14ff4c1864150e92d7f3e9249f498e641e6b56cc9dce`
SHA3	`6e4857ef5628623e9d58d923cc4e278781b3e4a7a8fe086ab60b8db13433dcb0`
VirtualSize	`0x1d5`
VirtualAddress	`0xa7d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5aaa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71768`

Imports

KERNEL32.dll	`GetVersionExW`
USER32.dll	`MoveWindow`
WTSAPI32.dll	`WTSSendMessageW`
KERNEL32.dll (#2)	`GetVersionExW`
USER32.dll (#2)	`MoveWindow`
KERNEL32.dll (#3)	`GetVersionExW`
USER32.dll (#3)	`MoveWindow`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

Size	`0x130`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140154138`

RICH Header

Errors

[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section _RDATA has a size of 0!
[*] Warning: Section .vmp0 has a size of 0!