3c4e6fe49320460b17c989935d70c70a

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2024-Nov-19 19:52:48
Detected languages English - United Kingdom
English - United States

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .xorstr0
Unusual section name found: .xorstr1
Unusual section name found: .xorstr2
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • FindWindowA
 Can access the registry:
  • RegQueryValueExA
 Leverages the raw socket API to access the Internet:
  • socket
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 3c4e6fe49320460b17c989935d70c70a
SHA1 7a9a90f497b442a52bb8f3eebf20dcb130cef5c4
SHA256 29beb6a1ba683f4c9a6b03b6e5a1f8a34fad4d2bcafca9bcb041aa34f35ab29f
SHA3 9f6af322acfeb64782c3fa8d8a1c03df4325ef60d6af88e8b2baa944e85c0439
SSDeep 786432:IoQ+0mUe7aCOThVml+BsrBQv4tj6yX+PBzZ:IoshA+BUBQvSmyX+P5
Imports Hash 841c322fe44669b8ccb768beb3b12ca5

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 9
TimeDateStamp 2024-Nov-19 19:52:48
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xb000
SizeOfInitializedData 0x23a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000107B00E (Section: .xorstr2)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x2a60000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xaf5c
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x616c
VirtualAddress 0xc000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x18d60
VirtualAddress 0x13000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x93c
VirtualAddress 0x2c000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xorstr0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xfd2b90
VirtualAddress 0x2d000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xorstr1

MD5 82677a51479ee03a7de353aafa9dc7de
SHA1 07f0745ca78d424bb2223f28d7d7d20d13ea4ba2
SHA256 7eedd833d40f96d8907f5e3be6948a49ff266011f05ffcb4825b7b94bc28d7d5
SHA3 b7a4c22f11b4ac94cfd313e26118d963c58b60b04766aceb7f0e001236d4a0dd
VirtualSize 0x208c
VirtualAddress 0x1000000
SizeOfRawData 0x2200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.120363

.xorstr2

MD5 31df8746255e7bd94287b4283641d863
SHA1 9e91648df6fc8cb4d9152db127f0bffd180a103d
SHA256 0f41adc4ed6fde672e9fa5385190a3023485c50d3e60b662fafea47ce16aa364
SHA3 778def281cce0789a088263cc5e68252a8b12d76e67940e930cfc1fa82f0f736
VirtualSize 0x1a57f9c
VirtualAddress 0x1003000
SizeOfRawData 0x1a58000
PointerToRawData 0x2600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 7.73932

.reloc

MD5 270649b82a4686cc3bf2ad6fc7b1273b
SHA1 c789766a5c92256cfe8217a174d8e30895ff0e7c
SHA256 26ac4efbfae76db0c25f7ef45f87e4f13cf1adfebedd98afa98cdedb5d79e244
SHA3 7df679a01640d4bd9f021f754f796303b5cdff8ae941b66f4231e02bc2c17d4f
VirtualSize 0x11c
VirtualAddress 0x2a5b000
SizeOfRawData 0x200
PointerToRawData 0x1a5a600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.72532

.rsrc

MD5 8e6ab51b47e3de2fc4440cc7f2fd922e
SHA1 7ef5aa5a254a89dd74af3f7c7785b29b47666138
SHA256 8cd12237276ddd1bc1364e3a095359df281869bbaa13be12b9eba30232835371
SHA3 49f2999cc12a22d82e8c96e2415db8691956a23d701b771bee0af8d0afbaf17d
VirtualSize 0x3db8
VirtualAddress 0x2a5c000
SizeOfRawData 0x3e00
PointerToRawData 0x1a5a800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.48648

Imports

KERNEL32.dll GetCurrentProcess
USER32.dll FindWindowA
ADVAPI32.dll RegQueryValueExA
MSVCP140.dll ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
WS2_32.dll socket
VCRUNTIME140_1.dll __CxxFrameHandler4
VCRUNTIME140.dll __std_exception_copy
api-ms-win-crt-runtime-l1-1-0.dll _initialize_onexit_table
api-ms-win-crt-stdio-l1-1-0.dll fgetc
api-ms-win-crt-heap-l1-1-0.dll malloc
api-ms-win-crt-filesystem-l1-1-0.dll _unlock_file
api-ms-win-crt-environment-l1-1-0.dll getenv
api-ms-win-crt-locale-l1-1-0.dll ___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
KERNEL32.dll (#2) GetCurrentProcess
KERNEL32.dll (#3) GetCurrentProcess

Delayed Imports

1

Type RT_ICON
Language English - United Kingdom
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.29091
MD5 2cc1ab758d8e59c11ca850dc95d39940
SHA1 e7f4b82144806ddcba3d56a615d3a44f335ee0e6
SHA256 a079bc60b8152655da924182c8e0b515501ace307f5e033cdedaafc4ffa37140
SHA3 f1882730ac9360d284adb23f99f3374b2ba9a5db437b937300e532e50fb5d54a

2

Type RT_ICON
Language English - United Kingdom
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.41089
MD5 c74439b82847bd212192310ff5bb62f5
SHA1 a9554b27b9f801e9520b06a80f410d792141105a
SHA256 37d1bbfbed258e454ce1f86005962310b5efe319ce654e3936645ecc1d5ff412
SHA3 415ca9a4af58114adb3ce710c0a27934831ca1d7d659649b24841223895d9696

3

Type RT_ICON
Language English - United Kingdom
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.40167
MD5 89a8f227673fd38922881fd4eb69d8ba
SHA1 95776005759a82bf99a6f589d8e6228873621485
SHA256 7197535336859eb3f336d41a82ba264798da804a40fd211fb096cf126e6082d5
SHA3 82877021b31cef4add6eee5dafbf8f20108f645b64bbec9317cbcd7b527a60a9

101

Type RT_GROUP_ICON
Language English - United Kingdom
Codepage UNKNOWN
Size 0x30
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.45849
Detected Filetype Icon file
MD5 409e1724611e0bc39356e2f58888db55
SHA1 c06c0e66cc2f7956256e2f018aa0294bfa914960
SHA256 6ab18c3b81a5d30c5a190a4504cae807d73b1a4d02d56ffddf641abbb62b7210
SHA3 315b2ad40793f4ef885ff4c878169b02c62f619b57780a98a76c8538cd0ee5c9

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89623
MD5 b8e76ddb52d0eb41e972599ff3ca431b
SHA1 fc12d7ad112ddabfcd8f82f290d84e637a4d62f8
SHA256 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
SHA3 37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd

Version Info

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140013040

RICH Header

Errors

[!] Error: Could not reach the TLS callback table. [*] Warning: Section .text has a size of 0! [*] Warning: Section .rdata has a size of 0! [*] Warning: Section .data has a size of 0! [*] Warning: Section .pdata has a size of 0! [*] Warning: Section .xorstr0 has a size of 0!
<-- -->