Manalyze report for 478b04c20bbf6717d10ee978b99339b7c4664febc8bcfdaf86c3f0fbfc83a5c5

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00

Plugin Output

Info	Interesting strings found in the binary:	Contains domain names: -Inf.bat.cmd.com .eq.runtime.net .hash.net Inf.bat.cmd.com analytics.com authenticatewww.facebook.com bat.cmd.com bootstrap.com cdn.bootstrap.com cdn.jquery.com cdn.mxpnl.com code.jquery.com emptywww-authenticatewww.facebook.com eq.runtime.net facebook.com golang.org google-analytics.com google.com https://cdn.bootstrap.com https://cdn.bootstrap.com/id https://cdn.jquery.com https://cdn.jquery.com/index https://cdn.mxpnl.com https://cdn.mxpnl.com/idna https://code.jquery.com https://code.jquery.com/idna https://nikeoutletinc.org https://play.google.com https://play.google.com/log?invalid https://www.google-analytics.com https://www.google-analytics.com/indefinite jquery.com mxpnl.com nikeoutletinc.org play.google.com runtime.net type..eq.net type..eq.runtime.net type..hash.net www.bing.com www.google-analytics.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES`
Suspicious	The PE is possibly packed.	`Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread`
Malicious	VirusTotal score: 51/72 (Scanned on 2025-12-14 20:12:28)	`ALYac: Gen:Variant.Bulz.370300` `APEX: Malicious` `AVG: Win64:Trojan-gen` `AhnLab-V3: Trojan/Win.Cobalt.C5216359` `Alibaba: Trojan:Win32/Goldmax.3e3` `Arcabit: Trojan.Bulz.D5A67C` `Avast: Win64:Trojan-gen` `Avira: HEUR/AGEN.1318184` `BitDefender: Gen:Variant.Bulz.370300` `Bkav: W64.AIDetectMalware` `CTX: exe.trojan.goldmax` `ClamAV: Win.Malware.SUNSHUTTLE-9838970-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: WinGo/Agent.AE trojan` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Bulz.370300 (B)` `F-Secure: Heuristic.HEUR/AGEN.1318184` `GData: Gen:Variant.Bulz.370300` `Google: Detected` `Ikarus: Trojan-Ransom.FileCrypter` `K7AntiVirus: Trojan ( 005ea2e21 )` `K7GW: Trojan ( 005ea2e21 )` `Kaspersky: HEUR:Trojan.Win32.Generic` `Kingsoft: Win32.Trojan.Generic.a` `Lionic: Trojan.Win32.GoldMax.4!c` `Malwarebytes: Trojan.Dropper.GO` `MaxSecure: Trojan.Malware.7164915.susgen` `McAfeeD: ti!478B04C20BBF` `MicroWorld-eScan: Gen:Variant.Bulz.370300` `Microsoft: Trojan:Win64/GoldMax.A!dha` `Paloalto: generic.ml` `Panda: Trj/CI.A` `Rising: Backdoor.[APT29]SunShuttle!1.D383 (CLASSIC)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BackDoor-FELG!5DB340A70CB5` `Sophos: Mal/GoldMax-A` `Symantec: Backdoor.GoldMax` `Tencent: Malware.Win32.Gencirc.1423f25d` `TrellixENS: BackDoor-FELG!5DB340A70CB5` `VBA32: Trojan.Win64.GoldMax` `VIPRE: Gen:Variant.Bulz.370300` `Varist: W64/ABTrojan.OCVQ-0084` `Yandex: Trojan.Agent!On5vXt9/HSg` `Zillya: Trojan.Agent.Win32.3517125` `ZoneAlarm: Mal/GoldMax-A` `alibabacloud: Trojan:Multi/GoldMax.A9hyq` `huorong: Backdoor/SunShuttle.a`

Hashes

MD5	`5db340a70cb5d90601516db89e629e43`
SHA1	`5576be6824fee2f41767a039514edb66c9002eb5`
SHA256	`478b04c20bbf6717d10ee978b99339b7c4664febc8bcfdaf86c3f0fbfc83a5c5`
SHA3	`4227904a0833f2b15ee6c8b256373d2d59ff8145ae73912a76fd1be5f3067d8b`
SSDeep	`49152:/1Lyh/GVW6pcvm8MrwdPy/A4N/j0tPPYalErb6zB9vcZN1QltUvskFUTBHpfyMT:9uhJgcfMrEDK0tPgalEwYy1Te+A`
Imports Hash	`91802a615b3a5c4bcc05bc5f66a5b219`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0x4`
e_cparhdr	`0`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x4f0c00`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0x24b000`
SizeOfInitializedData	`0x3fa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000064070 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x526000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`9133653eaff7cd2a592985068fcb7a2f`
SHA1	`d68025cccbc80a15283aa6e53ac226ce01dbc099`
SHA256	`001e137db0f2d2a6e2ee784a0a24f2ac9b77687fe3ab98dc0adade35bb54b34b`
SHA3	`8e2238989d791aa96b557b1145c3b13e17088d751596d2ce16f224f4138b195f`
VirtualSize	`0x24afb9`
VirtualAddress	`0x1000`
SizeOfRawData	`0x24b000`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.90232`

.rdata

MD5	`f62a5086bbfbdce2f53e3851973e68d7`
SHA1	`30d3c2ec7da1a2465ec2822d85e508209f78b898`
SHA256	`16e58f870b01574c9625679340f72f79832e6b71395c274e830c6d738541ca14`
SHA3	`9f7b2d2741c171a802bd0b6b77fb28acaf6a25551f649b37003dc4b7815fc7bb`
VirtualSize	`0x2654d2`
VirtualAddress	`0x24c000`
SizeOfRawData	`0x265600`
PointerToRawData	`0x24b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.34517`

.data

MD5	`3886c9959c0db9cbb1fffb6cf481aed1`
SHA1	`dbccc000d22de35baa61dc7afecc16998ac73dd1`
SHA256	`88b58ca242df4a88dc128988a0d43a4c9e06fd675cb5a57e0106536e20f74eb8`
SHA3	`4284c01f4556e33310cb0249ec688dfa95fdf169b2c862fc0d962cc4c0efc920`
VirtualSize	`0x71cc8`
VirtualAddress	`0x4b2000`
SizeOfRawData	`0x3fa00`
PointerToRawData	`0x4b0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.55153`

.idata

MD5	`ace875ec125258b2042837d2a2443781`
SHA1	`104b04c2e2d49bd0a13c66149d7e3614cf2a96fc`
SHA256	`e63c693184b9ceb2372d2b5cf6ac54c37ccf2c24fd1e14de709a3a7506ff9d83`
SHA3	`c0ff5006903c28fb26e2def3920d68d5be206766b1b83392ee11c0da552e5a82`
VirtualSize	`0x442`
VirtualAddress	`0x524000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4f0600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.87775`

.symtab

MD5	`07b5472d347d42780469fb2654b7fc54`
SHA1	`943ae54f4818e52409fbbaf60ffd71318d966b0d`
SHA256	`3e67f4a7d14b832ff2a2433e9cf0f6f5720821f67148a87c0ee2595a20c96c68`
SHA3	`a70a3e18515c06557b62676f2a8eb6d7d41962d8c9c7c49f4641c429cc65b977`
VirtualSize	`0x4`
VirtualAddress	`0x525000`
SizeOfRawData	`0x200`
PointerToRawData	`0x4f0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.0203931`

Imports

KERNEL32.DLL	`WriteFile` `WriteConsoleW` `WaitForMultipleObjects` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `SwitchToThread` `SuspendThread` `SetWaitableTimer` `SetUnhandledExceptionFilter` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `ResumeThread` `PostQueuedCompletionStatus` `LoadLibraryA` `LoadLibraryW` `SetThreadContext` `GetThreadContext` `GetSystemInfo` `GetSystemDirectoryA` `GetStdHandle` `GetQueuedCompletionStatus` `GetProcessAffinityMask` `GetProcAddress` `GetEnvironmentStringsW` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateThread` `CreateIoCompletionPort` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

Leave a comment

No comments yet.