Manalyze report for 3359a111d341ae6daf2593202b4aebbcca3e7502d45c17830a6c45a075e39127

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-May-03 01:23:14

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: https://t.me https://vacban.wtf`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: CreateRemoteThread OpenProcess VirtualAllocEx WriteProcessMemory` `Possibly launches other programs: ShellExecuteA` `Memory manipulation functions often used by packers: VirtualAllocEx VirtualProtect` `Functions related to the privilege level: OpenProcessToken` `Manipulates other processes: OpenProcess ReadProcessMemory WriteProcessMemory Process32First Process32Next`
Malicious	VirusTotal score: 14/70 (Scanned on 2026-05-05 01:00:51)	`Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_90% (D)` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `Google: Detected` `Malwarebytes: Malware.Heuristic.2518` `McAfeeD: ti!3359A111D341` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Save.a` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.high.ml.score` `TrendMicro-HouseCall: Trojan.Win64.Gen.TL0101E426ZY` `Varist: W64/ABRisk.RZDN-5647`

Hashes

MD5	`7c6c443c3090b15bf3f93a8785bef042`
SHA1	`bf4e45fb432cf573774c28e5bb837da2e7e46025`
SHA256	`3359a111d341ae6daf2593202b4aebbcca3e7502d45c17830a6c45a075e39127`
SHA3	`a7c13e69e771a27a84410aeb9f23d4b7a0db5de43ba751a2269cd6fbe8663048`
SSDeep	`3072:E3TziY3gWzGRGXMx4ZV5vw2TIiOlvnNMKu2tSXrXQB47+LjD/fophSF/NVM/LiA:wzXzpvwAIiOpnqKuJXMM+G5`
Imports Hash	`e6f7e0790022fbf6572dc4350828314f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-May-03 01:23:14
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2a400`
SizeOfInitializedData	`0x18800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000A24C (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x47000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7c6232e43527a2becf3b0209f263f7d4`
SHA1	`141c06059a392e5ff133563f6da2c12b304474fb`
SHA256	`4f428e18233dedc7823a1793770cf3096ee20a163bb4d0522daa7b50dfa31e76`
SHA3	`b78a69036282eab6313ccc02142a7bbd6adecd7e75ba28aefae2e67b88b68ac0`
VirtualSize	`0x2a3c4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2a400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46803`

.rdata

MD5	`4c6fac0e07c96ef10d6df0ecaac1368d`
SHA1	`c9cb66ee1164d5a56203be245a13ef4b7587dc7e`
SHA256	`22d882dea302643b09f033ed731f75da3cfcbf3a14986045a22108c2cc1655a0`
SHA3	`a16eb83ec2d9cca3dec3ede0fe1bfff1e22ae4df92df3dd8f0539359aac49378`
VirtualSize	`0x12fd4`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x13000`
PointerToRawData	`0x2a800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.11952`

.data

MD5	`a89360f43b45f5f366d49ac8cf17e670`
SHA1	`801fba4daa155697986163c83aa02aa7f729d681`
SHA256	`a68a6522d90c607fbcd048c049c63d5a728ea15f943f23d0d66b7401df683672`
SHA3	`d8479844239327a3f8741fafd55031a15d82d21673632baf552da10a1e1b6f6d`
VirtualSize	`0x256c`
VirtualAddress	`0x3f000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x3d800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.79719`

.pdata

MD5	`02497f60fc4c6e4ea68224f903299114`
SHA1	`9ce748a7d3658ae9312a0ed2619c2ac7da1ac2bc`
SHA256	`2ed187f7a90814c76559229999e290892ab2a08acf741752dd6d5ec142a1891b`
SHA3	`9776db340f4f0a7226f90a88b80df7005a8a9911093b3c9f17a937b441aa2d35`
VirtualSize	`0x2508`
VirtualAddress	`0x42000`
SizeOfRawData	`0x2600`
PointerToRawData	`0x3ec00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.34999`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x41200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`72e749dadecf0640f8545961dd52d35e`
SHA1	`232ad4e71988d1a1eae6d8285d55762c58acb43b`
SHA256	`55321f1c75de2a6ea76313833a59806f739c3d63c9fde955ff7631537a677e49`
SHA3	`7210614f26fa126cba03030482a419e9dda9e47f4fed0055c62490787a6089b0`
VirtualSize	`0x9c0`
VirtualAddress	`0x46000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x41400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.37827`

Imports

SHELL32.dll	`ShellExecuteExA` `ShellExecuteA`
ADVAPI32.dll	`GetTokenInformation` `OpenProcessToken`
KERNEL32.dll	`CreateFileW` `WriteConsoleW` `FlsAlloc` `GetFileAttributesA` `GetFullPathNameA` `CloseHandle` `GetLastError` `WaitForSingleObject` `Sleep` `GetCurrentProcess` `TerminateProcess` `CreateRemoteThread` `GetExitCodeThread` `OpenProcess` `VirtualAllocEx` `ReadProcessMemory` `WriteProcessMemory` `GetModuleFileNameA` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `LoadLibraryW` `SetConsoleTitleA` `CreateToolhelp32Snapshot` `Process32First` `Process32Next` `WideCharToMultiByte` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `EncodePointer` `DecodePointer` `MultiByteToWideChar` `LCMapStringEx` `GetStringTypeW` `GetCPInfo` `SetUnhandledExceptionFilter` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `HeapSize` `RtlPcToFileHeader` `RaiseException` `RtlLookupFunctionEntry` `RtlUnwindEx` `SetLastError` `RtlUnwind` `FlsGetValue` `FlsSetValue` `FlsFree` `ExitProcess` `FreeLibrary` `GetModuleHandleExW` `IsProcessorFeaturePresent` `GetModuleFileNameW` `GetStdHandle` `WriteFile` `GetCommandLineA` `GetCommandLineW` `HeapAlloc` `HeapFree` `RtlCaptureContext` `RtlVirtualUnwind` `IsDebuggerPresent` `UnhandledExceptionFilter` `GetFileType` `VirtualProtect` `LoadLibraryExW` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `ReadFile` `GetFileSizeEx` `SetFilePointerEx` `ReadConsoleW` `HeapReAlloc` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `GetProcessHeap` `SetStdHandle`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-May-03 01:23:14
Version	`0.0`
SizeofData	`900`
AddressOfRawData	`0x3b3b0`
PointerToRawData	`0x39bb0`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003f080`

RICH Header

XOR Key	`0x3752c807`
Unmarked objects	`0`
C++ objects (33145)	`167`
C objects (33145)	`17`
ASM objects (33145)	`7`
ASM objects (35403)	`10`
C objects (35403)	`16`
C++ objects (35403)	`80`
Imports (33145)	`7`
Total imports	`115`
C++ objects (35730)	`1`
Linker (35730)	`1`

Errors

Leave a comment

No comments yet.