Manalyze report for 3ba4ba0dd147368f4f173371712849e6

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00

Plugin Output

Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 8 import(s).`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions related to the privilege level: OpenProcessToken`
Suspicious	The file contains overlay data.	`16089486 bytes of data starting at offset 0x2f200.` `The overlay data has an entropy of 7.99982 and is possibly compressed or encrypted.` `Overlay data amounts for 98.8145% of the executable.`
Malicious	VirusTotal score: 49/70 (Scanned on 2024-10-01 10:37:05)	`ALYac: Trojan.GenericKD.73980361` `APEX: Malicious` `AVG: MacOS:ReverseShell-C [Trj]` `AhnLab-V3: Trojan/Win.Wacatac.C5676318` `Alibaba: TrojanPSW:Win32/Almi_Disco.e` `Antiy-AVL: GrayWare/Win32.Wacapew` `Arcabit: Trojan.Generic.D468D9C9` `Avast: MacOS:ReverseShell-C [Trj]` `BitDefender: Trojan.GenericKD.73980361` `Bkav: W64.AIDetectMalware` `CTX: exe.trojan.python` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `ESET-NOD32: Python/Spy.Agent.WB` `Elastic: malicious (moderate confidence)` `Emsisoft: Trojan.GenericKD.73980361 (B)` `FireEye: Generic.mg.3ba4ba0dd147368f` `Fortinet: W32/Agent.WB!tr.spy` `GData: Trojan.GenericKD.73980361` `Ikarus: Trojan-Spy.Python.CStealer` `K7AntiVirus: Trojan ( 005a951e1 )` `K7GW: Trojan ( 005a951e1 )` `Kaspersky: HEUR:Trojan.Python.Tpyc.g` `Kingsoft: Win32.Troj.Unknown.a` `Lionic: Trojan.Win32.Python.4!c` `Malwarebytes: Malware.AI.2248929327` `McAfee: Artemis!3BA4BA0DD147` `McAfeeD: ti!936A7F98A156` `MicroWorld-eScan: Trojan.GenericKD.73980361` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Rising: Stealer.Discord/PYC!1.10249 (CLASSIC)` `Skyhigh: BehavesLike.Win64.Adware.wc` `Sophos: Generic Reputation PUA (PUA)` `Symantec: OSX.Trojan.Gen` `Tencent: Win32.Trojan.Tpyc.Dkjl` `Trapmine: suspicious.low.ml.score` `TrendMicro-HouseCall: TROJ_GEN.R002H09I424` `VBA32: Trojan.Python` `VIPRE: Trojan.GenericKD.73980361` `Varist: PYC/Hazgrab.A.gen!Camelot` `VirIT: Trojan.Win64.Agent.HHP` `Webroot: W32.Trojan.GenKD` `Xcitium: Malware@#750t344cir80` `Zillya: Trojan.PyInstaller.Win64.16` `ZoneAlarm: HEUR:Trojan.Python.Tpyc.g` `alibabacloud: Trojan:MacOS/Tpyc.g` `huorong: TrojanSpy/Python.TokenGrabber.e`

Hashes

MD5	`3ba4ba0dd147368f4f173371712849e6`
SHA1	`efa229c55ef8d7c6e9da5dfe8852dbeaf396f8a0`
SHA256	`936a7f98a1560c1bce44797e7600f2b877acf746a64b8eaf3372be6fcb8d69a8`
SHA3	`0caa2cf42c7356c1bba74a4d47627169b2b5e93929960dc785e9be13876f15c8`
SSDeep	`393216:Xdh9SAAy7v5tJurEUWjy7y7cGtoEMdKpA34CWlCwD:v9qy7vDJdbWy7NtIYAza`
Imports Hash	`bbadd88e560afea1d0dd8f728c4701ca`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x20000`
SizeOfInitializedData	`0x10000`
SizeOfUninitializedData	`0x38000`
AddressOfEntryPoint	`0x0000000000058440 (Section: UPX1)`
BaseOfCode	`0x39000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x69000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x38000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`7ba783a95a12c46d0ead775fe953e3e1`
SHA1	`0c90c115b7f0aacfb0fa41bed81eb409dc59aefd`
SHA256	`ebc50b6c16e0b29441816eac6989f31deb9dd6b897b9c3fbe54e4e6d2d70c1d2`
SHA3	`795526ed7fe77ecd5f7509284a6bba5396f1bede33adaf8392735a4ca6958605`
VirtualSize	`0x20000`
VirtualAddress	`0x39000`
SizeOfRawData	`0x1f800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.91906`

.rsrc

MD5	`85a27c6c65465e34d16d6b3e90d4e604`
SHA1	`39cb6c55c0db94eb9716a291ed810c59b473003a`
SHA256	`a5fa71d80cd6e2b0e1ca507fb7c4271a069d6b0f84d3e5de3c70c135e4caa6d8`
SHA3	`78f1486977521a56b1988084d29156e01cb2883221aa2e3d8f4b919e3663bf57`
VirtualSize	`0x10000`
VirtualAddress	`0x59000`
SizeOfRawData	`0xf600`
PointerToRawData	`0x1fc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.53815`

Imports

ADVAPI32.dll	`OpenProcessToken`
COMCTL32.dll	`#380`
GDI32.dll	`SelectObject`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
USER32.dll	`GetDC`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15653`
MD5	`15d6a8563184abef13a1ee75aea262ad`
SHA1	`d7d896432efd845f283f2b98a66486df05bf5e10`
SHA256	`7cccfafd00332ac9c9f6ac0112cc0653991eb169943919e55d05f3fa15929821`
SHA3	`93904dad7224f31021bf8d53753e553f8233c2f40f6dbe25e67b692c6ae378ab`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.44895`
MD5	`1c06420cfb94514d35c088699a04774d`
SHA1	`2c23d7df4bc8ce3fb15f33e78c042b12814aea3b`
SHA256	`d73c1848a067a0fd094423213dc1e855b5b29b0b441f0bcb315feb90d662972e`
SHA3	`a630c0bd054ccf853d3673897d2a553e10797d288b3f09898503304ecec7d7f3`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.77742`
MD5	`db1208cf5d76055be1c3a34567af9f5a`
SHA1	`c5adcd7407c8b18459e4b4ce96fb70ecf5701a97`
SHA256	`5a008270f7254f5ca861e9936f4b5b7a23c04d63165895234fd1782bc03ec0e5`
SHA3	`549076010917e74ff3fe656848779d90468b96740184b07016dbf2833e9abf99`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x952c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95095`
Detected Filetype	PNG graphic file
MD5	`f6fbada22d6a6c07ef8fdaa504f117d5`
SHA1	`591a723501eff1a4920462f8efcaf3715e829450`
SHA256	`3919b11194f130d310dfe08bdce2891c5b64f2703107f53a5a1cbc016fdb609f`
SHA3	`ceca597fff3f436773eb9e48be245ce9d24439b9527a0d3aedaa1469e49d3f5c`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.0521`
MD5	`86ce219c337119fe35646823cb56d091`
SHA1	`74d3090f01f3128bda93a3a7525f139c495bffbd`
SHA256	`7ef5a24efde1748c0eb12c5817b14cfe1397ae968489a7824a269d02c8223cee`
SHA3	`8daaa7aab035df895cb478d3b92385d12aebd96c8bbde3a05a615ff56d41aebf`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15081`
MD5	`58b7700e8f20d0a3c77021eb7e7019dc`
SHA1	`87f7668b96ab48bd6ba5c8b9968dbb024a028407`
SHA256	`c5536b396be6dcfc96f4e4f77cc7007b2a56730ee57598a6979cc1c1c71c920a`
SHA3	`13bb36cea0c569109ddca6560016003d3ce662f8e0bc189e9750019ccdc7bc72`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.39466`
MD5	`9de69c1c4b3a06597da9c275b38bffb6`
SHA1	`a4ed3bd1bb4edc0eaa187b68929f596906e9ee87`
SHA256	`ac2e25dc4a4f7bd96a0bcf3ea63cd1bcf26a6f6a05835e32f96ef99cb4323f30`
SHA3	`6ff197b54509b5c0fa643d6bdbc756cccec2b5bc8495c770883c021e833f7509`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`cd3a631eace19041876b4c4c6ec8461a`
SHA1	`d4b3f99c4d648e3446dc05e7fb6e444e42dfed01`
SHA256	`f5b94a42f1c77c9eef858a0dfd656419fea900b00318c2c0bf49c2fce345d838`
SHA3	`b6dcbb1b4c262eb5aee12773a52c29ff20fef809a4e61822700d005457944b9f`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003e018`

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!