Manalyze report for 3134839d0072fb459306818bc3e7b940

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Jul-05 20:11:46
Detected languages	English - United States Turkish - Turkey

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .xorstr0` `Unusual section name found: .xorstr1` `Unusual section name found: .xorstr2`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegCloseKey` `Possibly launches other programs: ShellExecuteA`
Malicious	VirusTotal score: 37/74 (Scanned on 2024-07-11 08:49:22)	`AVG: Win64:Evo-gen [Trj]` `Avast: Win64:Evo-gen [Trj]` `Avira: HEUR/AGEN.1371804` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/Packed.VMProtect.X suspicious` `Elastic: malicious (high confidence)` `F-Secure: Heuristic.HEUR/AGEN.1371804` `FireEye: Generic.mg.3134839d0072fb45` `Fortinet: Riskware/Application` `GData: Win64.Trojan.Agent.CM9H5L` `Google: Detected` `Gridinsoft: Trojan.Heur!.02212023` `Ikarus: PUA.VMProtect` `K7AntiVirus: Trojan ( 0059f2a61 )` `K7GW: Trojan ( 0059f2a61 )` `Kaspersky: UDS:Trojan.Win32.Agent.xbrrpr` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Malware.AI.2316010227` `MaxSecure: Trojan.Malware.300983.susgen` `McAfee: Artemis!3134839D0072` `McAfeeD: Real Protect-LS!3134839D0072` `Microsoft: Trojan:Win32/Sabsik.TE.B!ml` `Paloalto: generic.ml` `Rising: Trojan.Agent!8.B1E (TFE:5:C7MlCwcU6tH)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: Artemis` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score` `Varist: W64/ABRisk.DDIR-0811` `ZoneAlarm: UDS:Trojan.Win32.Agent.xbrrpr` `alibabacloud: VirTool:Win/Packed.VMProtect.X`

Hashes

MD5	`3134839d0072fb459306818bc3e7b940`
SHA1	`1383979dc1c01b0ca9c4f08816a477d7e970b0af`
SHA256	`8f5fe9349c8ae075b4c3d31dd0a831c51283055f601dd62ae1ddfa8d33c4dfb2`
SHA3	`fcb936cab3616360fa3bf72aa383c1bd838558dacdee42497d58ec769ad93f2a`
SSDeep	`393216:NBs4OQNyGErstcgNqqXguTfr8PY+LcuyFlzK0NMWPMbFxo2/HR5i7:j/ySFPvF+b4PNMW0bFy2HM`
Imports Hash	`8b94bed6f0010a51a95e3149932a0fa3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2024-Jul-05 20:11:46
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x97800`
SizeOfInitializedData	`0x458c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000024993F7 (Section: .xorstr2)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x2d86000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x9763c`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x57b6a`
VirtualAddress	`0x99000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x3f98f8`
VirtualAddress	`0xf1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x3240`
VirtualAddress	`0x4eb000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.xorstr0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xdb09d4`
VirtualAddress	`0x4ef000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.xorstr1

MD5	`a469b684339f42c1508d74c57e680328`
SHA1	`88c3199c8a903efd5bab1eb90bb1d4b35085444c`
SHA256	`1ef4ad5ef468f31eb73a27013e0de069f0110c9a44f356da093965b06981fbff`
SHA3	`a5340ad18a98fbf2ea974be03510adfea84e2ef59a7506a4e00c2b55ca2d16d6`
VirtualSize	`0xf50`
VirtualAddress	`0x12a0000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.329234`

.xorstr2

MD5	`e4480b09f110db3d680319de8d040208`
SHA1	`86ea3fa16f986ee3f0462e3246c61253649718b1`
SHA256	`5565fed23199e470364ae616897c82a45800a387f869790a5630a689b13516b9`
SHA3	`df2070647b9af8a09db2b1458acd6b3afdd07d77fb73b8da3cf40d78e89c3e18`
VirtualSize	`0x1adf440`
VirtualAddress	`0x12a1000`
SizeOfRawData	`0x1adf600`
PointerToRawData	`0x1400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.82196`

.reloc

MD5	`848bf33bb4f3567789ba40155b7ad02a`
SHA1	`7c10b2b3a67df73b3ec7458b6afee8152c5cb9eb`
SHA256	`fde4d076db2b9ad94e8e6870c02c00b64ed081731809e1fc08a2722156ffc401`
SHA3	`78e342a39d98ccf1cd2ad5266ba71eda89c7d3189b8b50d3e74bbf34c7125e6f`
VirtualSize	`0x128`
VirtualAddress	`0x2d81000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1ae0a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.80614`

.rsrc

MD5	`a153f61ef7ff92a2041ec1b4738fe46c`
SHA1	`3542e993d910ee239bf2bfa6f2f59d3cf4f75e74`
SHA256	`8ecc81a082275ca502feab4844035e61977f24f7f18cc6576a5e96251501dbd0`
SHA3	`77d8d99d628eac86e86725fc2f3db84412cad9131d3cf7d58e338c2505e52655`
VirtualSize	`0x3db8`
VirtualAddress	`0x2d82000`
SizeOfRawData	`0x3e00`
PointerToRawData	`0x1ae0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.48613`

Imports

KERNEL32.dll	`DeviceIoControl`
USER32.dll	`DestroyWindow`
ADVAPI32.dll	`RegCloseKey`
SHELL32.dll	`ShellExecuteA`
IMM32.dll	`ImmReleaseContext`
MSVCP140.dll	`?_Throw_Cpp_error@std@@YAXH@Z`
ntdll.dll	`RtlCaptureContext`
d3d9.dll	`Direct3DCreate9Ex`
dwmapi.dll	`DwmExtendFrameIntoClientArea`
VCRUNTIME140.dll	`__current_exception_context`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
api-ms-win-crt-string-l1-1-0.dll	`isprint`
api-ms-win-crt-stdio-l1-1-0.dll	`__stdio_common_vsnprintf_s`
api-ms-win-crt-heap-l1-1-0.dll	`free`
api-ms-win-crt-utility-l1-1-0.dll	`rand`
api-ms-win-crt-math-l1-1-0.dll	`pow`
api-ms-win-crt-convert-l1-1-0.dll	`atof`
api-ms-win-crt-runtime-l1-1-0.dll	`__p___argc`
api-ms-win-crt-filesystem-l1-1-0.dll	`_wremove`
api-ms-win-crt-time-l1-1-0.dll	`_time64`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
KERNEL32.dll (#2)	`DeviceIoControl`
KERNEL32.dll (#3)	`DeviceIoControl`

Delayed Imports

1

Type	`RT_ICON`
Language	Turkish - Turkey
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29091`
MD5	`2cc1ab758d8e59c11ca850dc95d39940`
SHA1	`e7f4b82144806ddcba3d56a615d3a44f335ee0e6`
SHA256	`a079bc60b8152655da924182c8e0b515501ace307f5e033cdedaafc4ffa37140`
SHA3	`f1882730ac9360d284adb23f99f3374b2ba9a5db437b937300e532e50fb5d54a`

2

Type	`RT_ICON`
Language	Turkish - Turkey
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.41089`
MD5	`c74439b82847bd212192310ff5bb62f5`
SHA1	`a9554b27b9f801e9520b06a80f410d792141105a`
SHA256	`37d1bbfbed258e454ce1f86005962310b5efe319ce654e3936645ecc1d5ff412`
SHA3	`415ca9a4af58114adb3ce710c0a27934831ca1d7d659649b24841223895d9696`

3

Type	`RT_ICON`
Language	Turkish - Turkey
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.40167`
MD5	`89a8f227673fd38922881fd4eb69d8ba`
SHA1	`95776005759a82bf99a6f589d8e6228873621485`
SHA256	`7197535336859eb3f336d41a82ba264798da804a40fd211fb096cf126e6082d5`
SHA3	`82877021b31cef4add6eee5dafbf8f20108f645b64bbec9317cbcd7b527a60a9`

101

Type	`RT_GROUP_ICON`
Language	Turkish - Turkey
Codepage	UNKNOWN
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`409e1724611e0bc39356e2f58888db55`
SHA1	`c06c0e66cc2f7956256e2f018aa0294bfa914960`
SHA256	`6ab18c3b81a5d30c5a190a4504cae807d73b1a4d02d56ffddf641abbb62b7210`
SHA3	`315b2ad40793f4ef885ff4c878169b02c62f619b57780a98a76c8538cd0ee5c9`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1404e95c0`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section .xorstr0 has a size of 0!