Manalyze report for 2f0a6a2cfd192aa2cc5670ddc94943942272e8dd1043d00f36aefd58be25c8c1

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Jun-03 20:53:54
TLS Callbacks	1 callback(s) detected.

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for VirtualBox presence: 080027 08:00:27` `May have dropper capabilities: CurrentControlSet\Services CurrentVersion\Run` `Contains a XORed PE executable: a5 99 98 82 d1 81 83 9e 96 83 90 9c d1 92 90 9f 9f 9e 85 d1 ...` `Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` Contains domain names: crl.microsoft.com digicert.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z http://www.microsoft.com http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0 http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0 http://www.microsoft.com/pkiops/Docs/Repository.htm0 http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202013.crt0 http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202013.crl0 http://www.microsoft.com/pkiops/docs/primarycps.htm0 http://www.microsoft.com0 microsoft.com www.digicert.com www.microsoft.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to AES`
Malicious	The file headers were tampered with.	`The RICH header checksum is invalid.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: NtCreateNamedPipeFile NtWriteFile NtOpenFile` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Has Internet access capabilities: WinHttpCrackUrl WinHttpCloseHandle` `Leverages the raw socket API to access the Internet: WSAStartup`
Suspicious	The file contains overlay data.	`5844 bytes of data starting at offset 0x736200.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`ba4f2c9ed599b3e770f9436d1d9273f5`
SHA1	`faa5a5d66d90e885460520e180a1b55f7e0b98a0`
SHA256	`2f0a6a2cfd192aa2cc5670ddc94943942272e8dd1043d00f36aefd58be25c8c1`
SHA3	`15b2bbce5d162b46ca64a6702c6fc7e01ad06791876951e594247b6ebf55a5c4`
SSDeep	`24576:nX+FlbNwP2+DkB5oAgxOKrYvsjDFptJ9evhqVuZMykJ0uxkqP09cLkm7qeD4Q+ef:nX0lbCP`
Imports Hash	`e8d6ab2a6dc88bea1a31968de79126ad`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2020-Jun-03 20:53:54
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x42600`
SizeOfInitializedData	`0x6f4400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000034A74 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x73b000`
SizeOfHeaders	`0x400`
Checksum	`0x746241`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1b1ad4f43a677650be9e8543cef5499f`
SHA1	`1b8e590814b0b73af5622447e6087f0015800dfa`
SHA256	`d01a58279e3bcacf88e316cc4233db31513d528d775537cdbd0fbfd180c65bbd`
SHA3	`88969e3290551b459c430a0958e9e37d4673b02d63af070632f9429052e7b9d1`
VirtualSize	`0x42570`
VirtualAddress	`0x1000`
SizeOfRawData	`0x42600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48443`

.rdata

MD5	`20deb66dbccb09eb08fbb33dde283a14`
SHA1	`619c426a0350275a33c41b79e3286427514ff375`
SHA256	`ab7a33f13e5250e47ef06ea4cde92e24a7b1d7ba73747c2ad4a5cfd0ee0ae9b2`
SHA3	`c6367d635a6cb94b630ed131bcb921a449ec67575cd0b868ca7cceeb7921a2cc`
VirtualSize	`0x6ef400`
VirtualAddress	`0x44000`
SizeOfRawData	`0x6ef400`
PointerToRawData	`0x42a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.88905`

.data

MD5	`822acba2f2bedb57004a69cce705b663`
SHA1	`7d7ca36b9614fcc35e65c614ea91b4749e9a3822`
SHA256	`e83d6781ceec474f30062dd9fc44ff0494025690ba8a4c4ac39a64db1607ecee`
SHA3	`421f9f67ebee5578ec938c5497914a655f2db6b23bcc43dd0fb8595c3eb63f31`
VirtualSize	`0x1720`
VirtualAddress	`0x734000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x731e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.97294`

.tls

MD5	`e8a2078fad8a48d8f783da7015d485f4`
SHA1	`b3f05638f031d28d04516ce8cafdf6c95d421841`
SHA256	`eed6c5d2e79c798a4e572ee206e04fbb172cd4fb25654a951d1bf7fb923cd2f7`
SHA3	`df33ebc5a45f55fc9465a99c329a021f352c1a0b246df995ecd25839c156e211`
VirtualSize	`0x28ec`
VirtualAddress	`0x736000`
SizeOfRawData	`0x2a00`
PointerToRawData	`0x732a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.63091`

.pdata

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x739000`
SizeOfRawData	`0x200`
PointerToRawData	`0x735400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`9ec8a1793afdd379833f0f539f6c7ab1`
SHA1	`c20d868771f5569d939a984e0c8a57963014448a`
SHA256	`aa8816161459aefaa2d4eb4c3d3286534f73bee9c93c9c6fd986248e671efca5`
SHA3	`23b4556a948c24f50f836a13f64a143634b24a82317c1f4235b3e384048e11ea`
VirtualSize	`0xa70`
VirtualAddress	`0x73a000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x735600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.12976`

Imports

CRYPT32.dll	`CertFreeCertificateContext`
Secur32.dll	`GetUserNameExW`
WINHTTP.dll	`WinHttpCrackUrl` `WinHttpCloseHandle`
bcrypt.dll	`BCryptOpenAlgorithmProvider`
WINTRUST.dll	`WinVerifyTrust`
WS2_32.dll	`WSAStartup`
KERNEL32.dll	`SetFilePointerEx` `FlushFileBuffers` `HeapSize` `LCMapStringW` `CompareStringW` `LoadLibraryA` `GetProcAddress` `GetProcessHeap` `HeapFree` `ExitProcess` `GetModuleHandleA` `CloseHandle` `GetTickCount64` `FindFirstFileExW` `GetFileAttributesW` `GetLastError` `FindNextFileW` `FindClose` `GetLocalTime` `Sleep` `AddVectoredExceptionHandler` `SetThreadStackGuarantee` `GetCurrentThread` `HeapReAlloc` `VirtualAlloc` `VirtualProtect` `GetCurrentThreadId` `SetLastError` `GetCurrentDirectoryW` `RtlCaptureContext` `RtlLookupFunctionEntry` `WaitForSingleObjectEx` `GetCurrentProcess` `lstrlenW` `GetCurrentProcessId` `ReleaseMutex` `RtlVirtualUnwind` `WideCharToMultiByte` `GetStdHandle` `GetConsoleMode` `GetConsoleOutputCP` `WaitForSingleObject` `MultiByteToWideChar` `WriteConsoleW` `HeapAlloc` `GetEnvironmentVariableW` `GetFullPathNameW` `GetFileInformationByHandle` `GetFileInformationByHandleEx` `CreateFileW` `SetFileTime` `SetFileInformationByHandle` `GetModuleHandleW` `FormatMessageW` `GetModuleFileNameW` `DeleteFileW` `WriteFileEx` `SleepEx` `ReadFileEx` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `CompareStringOrdinal` `GetSystemDirectoryW` `GetWindowsDirectoryW` `CreateProcessW` `DuplicateHandle` `CreateThread` `SetErrorMode` `FindFirstFileW` `FlsAlloc` `HeapDestroy` `TlsFree` `LoadLibraryExW` `CreateMutexA` `GetStringTypeW` `GetFileType` `SetStdHandle` `SetEnvironmentVariableW` `GetCPInfo` `GetOEMCP` `QueryPerformanceCounter` `GetSystemTimeAsFileTime` `InitializeSListHead` `SetUnhandledExceptionFilter` `GetStartupInfoW` `RtlUnwindEx` `FlsGetValue` `FlsSetValue` `FlsFree` `EncodePointer` `RaiseException` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `RtlPcToFileHeader` `WriteFile` `TerminateProcess` `FreeLibrary` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `IsProcessorFeaturePresent` `IsDebuggerPresent` `UnhandledExceptionFilter` `IsValidCodePage` `GetACP`
USER32.dll	`GetCursorPos` `GetForegroundWindow`
ADVAPI32.dll	`GetUserNameW`
api-ms-win-core-synch-l1-2-0.dll	`WaitOnAddress` `WakeByAddressSingle` `WakeByAddressAll`
ntdll.dll	`NtCreateNamedPipeFile` `NtWriteFile` `RtlNtStatusToDosError` `NtOpenFile`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x14072d1b8`
EndAddressOfRawData	`0x14072d210`
AddressOfIndex	`0x140734c28`
AddressOfCallbacks	`0x1400444d0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x00000001400214B0`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1407340c0`

RICH Header

XOR Key	`0x503c66b6`
Unmarked objects	`0`
C objects (CVTCIL) (VS2019 Update 2 (16.2) compiler 27905)	`181`
C++ objects (VS2010 SP1 build 40219)	`76`
Linker (VS2013 build 21005)	`113`
C++ objects (VS2017 v15.8.1 compiler 26726)	`113`
C++ objects (POGO O) (33135)	`57`
Imports (VS2017 v15.3.* compiler 25506)	`122`

Errors

[!] Error: Could not read PDB file information of invalid magic number.

Leave a comment

No comments yet.