Manalyze report for 349a6430b054a6331fdbf17ad3241eda752a565ca09060ad9117f57d488e01a7

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Apr-15 05:29:57

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: QeMu`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`22542637 bytes of data starting at offset 0x43a00.` `The overlay data has an entropy of 7.99733 and is possibly compressed or encrypted.` `Overlay data amounts for 98.7862% of the executable.`
Malicious	VirusTotal score: 5/68 (Scanned on 2021-08-06 10:08:10)	`Cynet: Malicious (score: 100)` `Zillya: Trojan.Badur.Win32.34336` `Antiy-AVL: Trojan/Generic.ASMalwS.329A072` `Malwarebytes: Spyware.PasswordStealer.Python` `Fortinet: PossibleThreat.PALLAS.H`

Hashes

MD5	`05d29ccc8acb91ae1ac79b80b4e4626d`
SHA1	`3f3a7d58b4536eff12de76465b1d3943e2adf6a9`
SHA256	`349a6430b054a6331fdbf17ad3241eda752a565ca09060ad9117f57d488e01a7`
SHA3	`30ef921df6d87f5fa444560b0f1ecce8233c70803274dc9ce9adfe449b091416`
SSDeep	`393216:d4EbtCPC9c5hlER77w8CvCtWd49M/1OClBHJFA76K/DdOqUJnAdZYyg+rRz8G7G:3tyuEhk77w8Cvv+MFBHJC762pOqUdAd`
Imports Hash	`d74d76c7011bfcc0cc1ebcb319809a31`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2021-Apr-15 05:29:57
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x20e00`
SizeOfInitializedData	`0x22800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000088FC (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x57000`
SizeOfHeaders	`0x400`
Checksum	`0x15c6f8a`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`fae68ae4cb09ed4473133603211e0d4f`
SHA1	`25995fdef96f5b74995b1f7751d071191925c384`
SHA256	`31381725f3a38fdeb3fa93722506bf24a9f905e0b5b1c9b4ba4040f8fb9c6e24`
SHA3	`d6ec462f712bc2fa00cef8f67797b55ebb526b090079c129e090f9536efef84a`
VirtualSize	`0x20d20`
VirtualAddress	`0x1000`
SizeOfRawData	`0x20e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46641`

.rdata

MD5	`58b7839e91377c396935223db863ebe6`
SHA1	`677d221344aeec3ea12abde22798a307ca7bafe9`
SHA256	`6cb426f7ab608ef55bfc07d465a2e880ec9a4b011a4521618b60623e0f5765c3`
SHA3	`83a2387491dc4e06c2e52cee90678347166d6c5bb9706553d328d3e44929d2d5`
VirtualSize	`0xff66`
VirtualAddress	`0x22000`
SizeOfRawData	`0x10000`
PointerToRawData	`0x21200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.78608`

.data

MD5	`e9718b9399bfd38a592aefa6d7d858b6`
SHA1	`201164c6960599cb3a66c9ea8d6adaf077e748f3`
SHA256	`e8e021b2a0ee7cf9649726be39a487275b74ab33f541eda35c7943fc3635bc75`
SHA3	`5cef00ef072bcfe49353798d542ebcdeb6b394b6bea18d0fb722d8a23ae94a99`
VirtualSize	`0x10148`
VirtualAddress	`0x32000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x31200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.83906`

.pdata

MD5	`232454b7409b474433d83d8065800b17`
SHA1	`0f1d8fa6c681945b76cb8804df21429a0e40aec1`
SHA256	`c0b7ffd202d851a378e24ea9c8c0664e4906678cf5f0d411d11b8054e040b859`
SHA3	`1ce0c395f28f1d4b8648ab3d7c3504f47c2aaf5af285e87d64a0c00d3a4d2151`
VirtualSize	`0x1bd8`
VirtualAddress	`0x43000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x31e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.3353`

_RDATA

MD5	`96c728591737ff6fffd77c70eaa0d7a0`
SHA1	`44b7e7e32808e17df1a596f100c93c7a8c00d3e6`
SHA256	`5870de0994458295af8fda99d1c92ba771040520931f0a94b79a22bde05d74a2`
SHA3	`2eb21863cc3794339fea6768400b5b7dd74a7b4b75648e10b07eb7ea38a831a8`
VirtualSize	`0x94`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x33a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.07276`

.rsrc

MD5	`aec749cfcc90f2c67626d97cd6719221`
SHA1	`f94bfef1e0b857d8a6cc89ab5d76cb50ed4bab2b`
SHA256	`106fa709365ee79f836efcf92f27ecf459ff226e74f128fcc08dc2de0e60eeef`
SHA3	`b92ba8f1e26efbdfdcf0e0e669d719ed8699962587f4af0d10c220cfe22edec5`
VirtualSize	`0xf4e0`
VirtualAddress	`0x46000`
SizeOfRawData	`0xf600`
PointerToRawData	`0x33c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.55571`

.reloc

MD5	`ba78a66d571722a646338a978c4f14a9`
SHA1	`e08992283908bd2c64d2e5bb797abc84f768ee10`
SHA256	`9821b4d2a9022241faaeee6cfbfd3569ee71ec77fb1d2f966d4729325b3ae368`
SHA3	`97fc7b7b021db08b01158948a39719d204960d40a10710b1769c0c6222fe5ce9`
VirtualSize	`0x6e8`
VirtualAddress	`0x56000`
SizeOfRawData	`0x800`
PointerToRawData	`0x43200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.08401`

Imports

USER32.dll	`MessageBoxW` `MessageBoxA`
KERNEL32.dll	`GetModuleFileNameW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetTempPathW` `WaitForSingleObject` `Sleep` `SetDllDirectoryW` `CreateProcessW` `GetStartupInfoW` `LoadLibraryExW` `CloseHandle` `GetCurrentProcess` `LoadLibraryA` `LocalFree` `FormatMessageW` `MultiByteToWideChar` `WideCharToMultiByte` `HeapReAlloc` `GetLastError` `WriteConsoleW` `SetEndOfFile` `GetExitCodeProcess` `FreeLibrary` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `RaiseException` `GetCommandLineA` `ReadFile` `CreateFileW` `GetDriveTypeW` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `RemoveDirectoryW` `FindClose` `FindFirstFileExW` `FindNextFileW` `SetStdHandle` `SetConsoleCtrlHandler` `DeleteFileW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapAlloc` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleCP` `GetFileSizeEx` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `GetFileAttributesExW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStringTypeW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize`
ADVAPI32.dll	`ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15653`
MD5	`15d6a8563184abef13a1ee75aea262ad`
SHA1	`d7d896432efd845f283f2b98a66486df05bf5e10`
SHA256	`7cccfafd00332ac9c9f6ac0112cc0653991eb169943919e55d05f3fa15929821`
SHA3	`93904dad7224f31021bf8d53753e553f8233c2f40f6dbe25e67b692c6ae378ab`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.44895`
MD5	`1c06420cfb94514d35c088699a04774d`
SHA1	`2c23d7df4bc8ce3fb15f33e78c042b12814aea3b`
SHA256	`d73c1848a067a0fd094423213dc1e855b5b29b0b441f0bcb315feb90d662972e`
SHA3	`a630c0bd054ccf853d3673897d2a553e10797d288b3f09898503304ecec7d7f3`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.77742`
MD5	`db1208cf5d76055be1c3a34567af9f5a`
SHA1	`c5adcd7407c8b18459e4b4ce96fb70ecf5701a97`
SHA256	`5a008270f7254f5ca861e9936f4b5b7a23c04d63165895234fd1782bc03ec0e5`
SHA3	`549076010917e74ff3fe656848779d90468b96740184b07016dbf2833e9abf99`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x952c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95095`
Detected Filetype	PNG graphic file
MD5	`f6fbada22d6a6c07ef8fdaa504f117d5`
SHA1	`591a723501eff1a4920462f8efcaf3715e829450`
SHA256	`3919b11194f130d310dfe08bdce2891c5b64f2703107f53a5a1cbc016fdb609f`
SHA3	`ceca597fff3f436773eb9e48be245ce9d24439b9527a0d3aedaa1469e49d3f5c`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.0521`
MD5	`86ce219c337119fe35646823cb56d091`
SHA1	`74d3090f01f3128bda93a3a7525f139c495bffbd`
SHA256	`7ef5a24efde1748c0eb12c5817b14cfe1397ae968489a7824a269d02c8223cee`
SHA3	`8daaa7aab035df895cb478d3b92385d12aebd96c8bbde3a05a615ff56d41aebf`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15081`
MD5	`58b7700e8f20d0a3c77021eb7e7019dc`
SHA1	`87f7668b96ab48bd6ba5c8b9968dbb024a028407`
SHA256	`c5536b396be6dcfc96f4e4f77cc7007b2a56730ee57598a6979cc1c1c71c920a`
SHA3	`13bb36cea0c569109ddca6560016003d3ce662f8e0bc189e9750019ccdc7bc72`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.39466`
MD5	`9de69c1c4b3a06597da9c275b38bffb6`
SHA1	`a4ed3bd1bb4edc0eaa187b68929f596906e9ee87`
SHA256	`ac2e25dc4a4f7bd96a0bcf3ea63cd1bcf26a6f6a05835e32f96ef99cb4323f30`
SHA3	`6ff197b54509b5c0fa643d6bdbc756cccec2b5bc8495c770883c021e833f7509`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`cd3a631eace19041876b4c4c6ec8461a`
SHA1	`d4b3f99c4d648e3446dc05e7fb6e444e42dfed01`
SHA256	`f5b94a42f1c77c9eef858a0dfd656419fea900b00318c2c0bf49c2fce345d838`
SHA3	`b6dcbb1b4c262eb5aee12773a52c29ff20fef809a4e61822700d005457944b9f`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5d4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.27592`
MD5	`6d36e0f01ab1671c57b5a3c0f6e4e7cc`
SHA1	`648c6a40db2c4a85e4ab5814f6f4ab806f0d2d60`
SHA256	`98a8c29ea1dd02791f7e7bb1ec5db66c4f11e2c9b768556e4120340edae1a6df`
SHA3	`fb1cfc78002346aacb44bd4f7599ba47da61e039b8911af665c41e7dc6f84279`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Apr-15 05:29:57
Version	`0.0`
SizeofData	`676`
AddressOfRawData	`0x2f580`
PointerToRawData	`0x2e780`

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140032018`

RICH Header

XOR Key	`0xfaefc3e3`
Unmarked objects	`0`
C objects (26715)	`10`
ASM objects (26715)	`7`
C++ objects (26715)	`185`
199 (41118)	`3`
C++ objects (VS 2015/2017/2019 runtime 29118)	`38`
C objects (VS 2015/2017/2019 runtime 29118)	`17`
ASM objects (VS 2015/2017/2019 runtime 29118)	`9`
Imports (26715)	`7`
Total imports	`116`
C objects (VS2019 Update 8 (16.8.4) compiler 29336)	`16`
Resource objects (VS2019 Update 8 (16.8.4) compiler 29336)	`1`
Linker (VS2019 Update 8 (16.8.4) compiler 29336)	`1`

Errors

Leave a comment

No comments yet.