375c8b2de50390faafa8d541d1da1523

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2021-Mar-25 06:45:04
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains a base64-encoded executable:
  • TVqQAAMAAAAEAAAA//8AALgAAAA
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
 Code injection capabilities (process hollowing):
  • SetThreadContext
  • WriteProcessMemory
  • ResumeThread
 Possibly launches other programs:
  • CreateProcessW
 Memory manipulation functions often used by packers:
  • VirtualProtectEx
  • VirtualAllocEx
 Manipulates other processes:
  • ReadProcessMemory
  • WriteProcessMemory
Suspicious The file contains overlay data. 8037666 bytes of data starting at offset 0x2efc00.
Malicious VirusTotal score: 58/72 (Scanned on 2024-02-15 19:05:00) ALYac: Gen:Trojan.ProcessHijack.@xZ@aCm7D8oi
APEX: Malicious
AVG: Win32:DropperX-gen [Drp]
AhnLab-V3: Trojan/Win.Redcap.C4412879
Alibaba: Worm:Win32/Antavmu.0f633d85
Antiy-AVL: Trojan/Win32.Antavmu
Arcabit: Trojan.ProcessHijack.EE667E
Avast: Win32:DropperX-gen [Drp]
Avira: HEUR/AGEN.1353317
BitDefender: Gen:Trojan.ProcessHijack.@xZ@aCm7D8oi
Bkav: W32.AIDetectMalware
CrowdStrike: win/malicious_confidence_100% (W)
Cybereason: malicious.d280f8
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Trojan.Inject4.10445
ESET-NOD32: Win32/Agent.OIM
Elastic: malicious (high confidence)
Emsisoft: Gen:Trojan.ProcessHijack.@xZ@aCm7D8oi (B)
F-Secure: Heuristic.HEUR/AGEN.1353317
FireEye: Generic.mg.375c8b2de50390fa
Fortinet: W32/Agent.OIM!worm
GData: Gen:Trojan.ProcessHijack.@xZ@aCm7D8oi
Google: Detected
Gridinsoft: Ransom.Win32.Wacatac.oa!s1
Ikarus: Worm.Win32.Agent
Jiangmin: Trojan.AntiAV.ehc
K7AntiVirus: Riskware ( 0040eff71 )
K7GW: Riskware ( 0040eff71 )
Kaspersky: HEUR:Trojan.Win32.Antavmu.gen
Kingsoft: win32.heurc.kvmh017.a
Lionic: Trojan.Win32.Antavmu.4!c
MAX: malware (ai score=83)
Malwarebytes: Generic.Malware/Suspicious
MaxSecure: Trojan.Malware.12187866.susgen
McAfee: GenericRXOL-EJ!375C8B2DE503
MicroWorld-eScan: Gen:Trojan.ProcessHijack.@xZ@aCm7D8oi
Microsoft: Trojan:Win32/Convagent!pz
NANO-Antivirus: Trojan.Win32.Antavmu.itxusr
Panda: Trj/CI.A
Rising: Trojan.Antavmu!8.2A5 (TFE:5:TpEP9eTr5yF)
Sangfor: Trojan.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win32.Generic.vm
Sophos: Mal/Generic-S
Symantec: ML.Attribute.HighConfidence
Tencent: Malware.Win32.Gencirc.10bf4502
Trapmine: malicious.moderate.ml.score
TrendMicro: TROJ_GEN.R002C0PEO21
TrendMicro-HouseCall: TROJ_GEN.R002C0PEO21
VBA32: BScope.Trojan.Wacatac
VIPRE: Gen:Trojan.ProcessHijack.@xZ@aCm7D8oi
Varist: W32/Agent.DKX.gen!Eldorado
VirIT: Trojan.Win32.Inject4.PLT
Yandex: Trojan.Antavmu!VyNOVK6GO5s
Zillya: Trojan.Antavmu.Win32.13924
ZoneAlarm: HEUR:Trojan.Win32.Antavmu.gen

Hashes

MD5 375c8b2de50390faafa8d541d1da1523
SHA1 6376762d280f89dcde1d580a340df0a00c8ce708
SHA256 8fb977568ae9dce5bc3f7587dcd8759bf6d58db781a856a2d2c522329854e741
SHA3 c9568a86c4bab583630bb768f9dee8a93173278793996926228517261c49e08c
SSDeep 24576:8pvxh4TO4OsVZRzALvx44ApeIknRC9EpXdPC+P+NvZLuksQtZaemNmWxNxxfc25D:K0TYsq24lICNPoNvtshwYzRDdYfi
Imports Hash b556371bf3a4933eccaf19b708d3f250

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2021-Mar-25 06:45:04
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x60600
SizeOfInitializedData 0x28f200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0005BDDE (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x62000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x2f4000
SizeOfHeaders 0x400
Checksum 0x2f179b
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6455ae3f1f892e5224d87d306f3c2993
SHA1 65a17c702f52defc8e1ddb4ff4142923425489a4
SHA256 35ef3d325f8816bf26681408cfb94cb1ef06c31abbfe97526a4ca0363ce2ebad
SHA3 26620aba4b55a83a61caac1a846f5d83f4653a9c80ebc43c8ababb3fce3c34fe
VirtualSize 0x60509
VirtualAddress 0x1000
SizeOfRawData 0x60600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.95082

.rdata

MD5 09290f54ec987144ac8d3e6bb007be7c
SHA1 1d69dfebeb29482f3a2b1915d3dcce6cd7259d76
SHA256 a61ebaee22110f372b2bc5b2f1785270e2d8087ba1510be1ef70d34aaabf93a4
SHA3 de57e3f4044af05ca150a7422683c6782296277a646d4029245a4c1d9383f421
VirtualSize 0x27e698
VirtualAddress 0x62000
SizeOfRawData 0x27e800
PointerToRawData 0x60a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.47408

.data

MD5 075f866efed2690f59641acbeb82c9bd
SHA1 2d3607340ab13344b9dd3cbad704529332ee334b
SHA256 bf453fa642b68b59c5147ecead583d4b6f5c04072f1d77697e3fbbb33d2bd714
SHA3 c92885037493e062b149a9455ed09818e0082a5591a62a7a53cbd46e8c5002be
VirtualSize 0x1b44
VirtualAddress 0x2e1000
SizeOfRawData 0xe00
PointerToRawData 0x2df200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.62828

.rsrc

MD5 42cf22c6fc1bb057c5f0e376fd28cbe7
SHA1 a691104c98b33bf4a628f0de377a44dc9f90fe8f
SHA256 8f58b7308cdbaa15892da09bffec75f22154946ce39a56403070c211b6461016
SHA3 1dfd2ec7de28b993baf33c5b7083d824204deda91c675e50f0473983bf799788
VirtualSize 0x1b4
VirtualAddress 0x2e3000
SizeOfRawData 0x200
PointerToRawData 0x2e0000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.1009

.reloc

MD5 81cf71406ff9ed9a78491368189ac34c
SHA1 56c48aee5ae23e62c1d49a20145ce00a03117158
SHA256 115485547fcd48936a4bf703770c6cf147b28f1281bb96d0afde75a9f25f6945
SHA3 c9d6dfc3aa13b5e49804ad483d878f733e7b4d5a27836992b3b70a6fce61c616
VirtualSize 0xf958
VirtualAddress 0x2e4000
SizeOfRawData 0xfa00
PointerToRawData 0x2e0200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.03661

Imports

KERNEL32.dll GetThreadContext
FindFirstFileW
SetThreadContext
CreateProcessW
WaitForSingleObject
GetSystemDirectoryW
Sleep
ReadProcessMemory
TerminateProcess
GetLastError
GetProcAddress
VirtualProtectEx
VirtualAllocEx
GetLocalTime
GetModuleHandleA
FindNextFileW
CloseHandle
WriteProcessMemory
ResumeThread
EncodePointer
DecodePointer
GetCommandLineW
HeapSetInformation
GetStartupInfoW
RaiseException
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
HeapFree
IsProcessorFeaturePresent
HeapSize
GetModuleHandleW
ExitProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WriteFile
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapReAlloc
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
WideCharToMultiByte
LCMapStringW
MultiByteToWideChar
GetStringTypeW

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x6e107c
SEHandlerTable 0x6df8f0
SEHandlerCount 16

RICH Header

XOR Key 0x1e7a1a2c
Unmarked objects 0
ASM objects (VS2010 build 30319) 16
C objects (VS2010 build 30319) 70
C++ objects (VS2010 build 30319) 29
Imports (VS2008 SP1 build 30729) 5
Total imports 82
175 (VS2010 build 30319) 1
Linker (VS2010 build 30319) 1

Errors

<-- -->