Manalyze report for 4dd36fc6571a3b9344a2ebaca2c28cef218c2293d8e80923996b0ba61aa1bbc2

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-Mar-22 18:34:44
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
FileDescription	Unicode name dll for richedit 1.0. windows sockets helper dll.
InternalName	koched
OriginalFilename	koched
CompanyName	Lumin Mv cies pv Co
LegalCopyright	(C) 2027 Lumin Mv cies pv Co. All rights reserved.
ProductName	koched
FileVersion	`99.98.13.61`
ProductVersion	`99.98.13`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `The PE only has 9 import(s).`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions related to the privilege level: OpenProcessToken`
Info	The PE's resources present abnormal characteristics.	`Resource 8 is possibly compressed or encrypted.` `Resource 9 is possibly compressed or encrypted.` `Resource 10 is possibly compressed or encrypted.` `Resource 11 is possibly compressed or encrypted.` `Resource 12 is possibly compressed or encrypted.` `Resource 13 is possibly compressed or encrypted.` `Resource 14 is possibly compressed or encrypted.`
Suspicious	The file contains overlay data.	`4194304 bytes of data starting at offset 0xf5000.` `Overlay data amounts for 80.6935% of the executable.`
Malicious	VirusTotal score: 31/52 (Scanned on 2026-05-22 06:18:09)	`Alibaba: Trojan:Win32/AntiAV.01516b81` `Antiy-AVL: GrayWare/Win32.Wacapew` `Avira: TR/W64.MalwareX` `Bkav: W32.Malware.1BFC5437` `CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `Elastic: malicious (moderate confidence)` `F-Secure: Trojan.TR/W64.MalwareX` `GData: Trojan.GenericKD.80021942` `Ikarus: Trojan.Win32.Crypt` `K7AntiVirus: Trojan ( 006dbbaf1 )` `K7GW: Trojan ( 006dbbaf1 )` `Kingsoft: Win32.Trojan.AntiAV.ddxn` `Lionic: Trojan.Win32.AntiAV.4!c` `Malwarebytes: Malware.AI.803133857` `MaxSecure: Trojan.Malware.325683076.susgen` `McAfeeD: ti!4DD36FC6571A` `MicroWorld-eScan: Trojan.GenericKD.80021942` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Antiav.Vvpl` `SentinelOne: Static AI - Suspicious PE` `Symantec: Trojan.Gen.MBT` `Tencent: Win32.Trojan.Antiav.Mqil` `TrellixENS: Artemis!A163E1C5D5DD` `VIPRE: Trojan.GenericKD.80021942` `Varist: W64/ABTrojan.GMDW-5525` `ViRobot: Trojan.Win.Z.Agent.5197824.K` `alibabacloud: Trojan:Win/Wacatac.C9nj` `huorong: Trojan/Agent.cuhb!crit`

Hashes

MD5	`a163e1c5d5dde03700b631cd2ce94a96`
SHA1	`82834d150b03007503c04f3e83df1e7ed9eedc8b`
SHA256	`4dd36fc6571a3b9344a2ebaca2c28cef218c2293d8e80923996b0ba61aa1bbc2`
SHA3	`329b31b42cf2ecf55ca557f1e69f46a82af186fdd3f4943119f84114efa721fc`
SSDeep	`24576:tGZpHQWD4WzwB/iHYGRHjUHLxwoGAdxAfj+nk:kz91wiHnHjUH3Ddqfc`
Imports Hash	`24b721e2fd75a9fe779d45409598a609`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	2026-Mar-22 18:34:44
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0xd3000`
SizeOfInitializedData	`0x23000`
SizeOfUninitializedData	`0xb8000`
AddressOfEntryPoint	`0x000000000018A5D0 (Section: UPX1)`
BaseOfCode	`0xb9000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x1af000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xb8000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`4c4637b6d8bfecec887e23a80f0efdb0`
SHA1	`c29293aaa9ed6f0264b474c0a9a063cbc81743eb`
SHA256	`e2074831c8856664e3d40e128748609327c2ecfc1309ab59ca762a9c04afce92`
SHA3	`695e61c0e0c45cac328f11ce39922a6350a10a41705531b505e33c70196952d6`
VirtualSize	`0xd3000`
VirtualAddress	`0xb9000`
SizeOfRawData	`0xd2400`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99962`

.rsrc

MD5	`ce15341d5ae689a77eea4882d561826b`
SHA1	`ae93639d6ef7da42da41628f7049d0b9dd84353e`
SHA256	`46c4ab4689de0112c4da2bb386c36e51ee3ac773a715e8a3496979f93ec2e3e5`
SHA3	`a58ddb1124d375ae46da47c5c35d21a06d309b4532aaa9c4f9655e96dbaa14b7`
VirtualSize	`0x23000`
VirtualAddress	`0x18c000`
SizeOfRawData	`0x22a00`
PointerToRawData	`0xd2600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.9715`

Imports

ADVAPI32.dll	`OpenProcessToken`
api-ms-win-core-synch-l1-2-0.dll	`WaitOnAddress`
KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect`
msvcrt.dll	`free`
ntdll.dll	`NtOpenFile`
ole32.dll	`CoInitializeEx`
OLEAUT32.dll	`SysFreeString`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2e5`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.63728`
Detected Filetype	PNG graphic file
MD5	`cf9f708d36eb3a758baaf7c6cd2a02a8`
SHA1	`7559a171f277618290d7e31df1ef872534804c8c`
SHA256	`fe0e19fe7133f77bdaefd05d7eef7b7b28eddc4479a6a84dac17991f255365f0`
SHA3	`9650ba11ecddd07a07cbce79a75a56ee9e562f559a46be0dc8d4cd506966e827`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x49b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.80276`
Detected Filetype	PNG graphic file
MD5	`ecb6835c3faf2f7e59d2fa774f178500`
SHA1	`0d932c4b5e631de86dadca3581cbeaa781b86cea`
SHA256	`44f3cfbc95bb2155fca51809f81779d315b4fb9aad3bc734b339ac0c1083382d`
SHA3	`3ef9ef3dd659a0c3c316235968f3ead598ffe36d138b13286c6ccbb7b8b6da91`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x662`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.8327`
Detected Filetype	PNG graphic file
MD5	`73488fac8c82b54635ab97bbd265cdf4`
SHA1	`7a48e47fb1355ac9cc34c223715752d65a5250ef`
SHA256	`eadf0d288f40c21c02c2184fd52ee271bfa62e50cbcfc7a702a3d4f2b9431f89`
SHA3	`40fafcf7e34bc9e70f7014cc56aba39823469ec1ec77e39f5ccd26ca8a840bcd`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xb65`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.92003`
Detected Filetype	PNG graphic file
MD5	`769fe33a07e40dc0e469b94dd2e9e318`
SHA1	`f8430517417490e412fa5c99b06287b1ab735c43`
SHA256	`a436bb7f8d4dd03372d6fa3edd6681c572dfed4844dc886af1e3e8d72b24201f`
SHA3	`4e80995deb838321278d80ff34cc320345410419b894713d794bd42cf492c14f`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x123a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95472`
Detected Filetype	PNG graphic file
MD5	`897f1516643180e839fee4dbd87dbc87`
SHA1	`1f9f6bb81bd1f3ba9f740328fc1d652e13a192a1`
SHA256	`ac39b32e84307aae8bf90cb36ae14fa81350f2e9ba23e879e73e66d7b4b19be6`
SHA3	`1b2d87228df7171231118a053443e75130948d28d52664a0f23705b31e874672`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4391`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98101`
Detected Filetype	PNG graphic file
MD5	`810ce8c344eacafc07fc90a338dbd1bd`
SHA1	`b3199809a71520b1a5235c445e2f3265d6eb3f1b`
SHA256	`64581a23d2071c94f9d4fc395a37dcc7f8ca1d856c18752b6af77f5f4a3b8252`
SHA3	`b81727d4a793e7e0acb030f82577400e10f5024c02429ece8914059758f3f831`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1aab6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99289`
Detected Filetype	PNG graphic file
MD5	`8ec23885104804be8bca4fdb42d326d0`
SHA1	`ba71732535afa6d8a591586018cd57ecd3f6270b`
SHA256	`4cce6f0b5d08da13272be378674732732855b3f49e62e77d0a4f8fff9dabfbf7`
SHA3	`b41c05669a9a7ef5a3d4ea45c75462ab79ea36d111e1fa3d8ec2f95b48881209`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2d8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.66746`
MD5	`885b374c058ea2f7e03d226c6071f269`
SHA1	`4af1fc559e9d81b452a0125e194e26389e1e095e`
SHA256	`247a3e39006915dafcc719aa91e7401c480e782226ed50e79cc152d53bf72c0c`
SHA3	`a135cf23e4c663e2bf09eba0ce28e94b98411e9c0e846659da0abf887dbf2882`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x49e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.83888`
MD5	`94168c0cf241a6c8caa74a7e54853e9d`
SHA1	`aac8cd8db85e8c8acbfb51947919ba1da946c132`
SHA256	`054f6a6994d2b78fcc178f8d30b603a339dd865ed49418359a5aa53d8c3206b3`
SHA3	`9aeac13de172e881fd56ef6af722f350d18403bc5bef795c4b5a265bc9aa8b26`

10

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x686`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.88203`
MD5	`89f0286c71b45668fc224bf52f55aba7`
SHA1	`782b718958dc5138e6d733a93ce61e3f26889155`
SHA256	`ce446e52c894177dd6f49a4c052c1f9a0d6ffd02c7538ccbd3b74338a8009e16`
SHA3	`b939ed0df2feb4f976dc7c989d69e6772b9a71a5c71fefffb0aac12e8d68987c`

11

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xb40`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.92806`
MD5	`0cc6932a4a6c01039bdf9f1fbe6658f0`
SHA1	`d5a1c04874acb00104da0376fb2d5294f72e51f7`
SHA256	`952ceba0057eb979beba4c6e525cade5df0da4a2530ad7f25363dac50e605af0`
SHA3	`b26f6e0765c607e2038f0d61ba94d4d81dd67fbe7a89ce2ace4d88a049971d6e`

12

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x11cd`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95858`
MD5	`cc5e2fa12bda6ace267b9be59cb9d4ff`
SHA1	`d6692324f81a28720859ebabc34dfef204f44ad0`
SHA256	`fc03605355802d46d7fe3e6dcb2497fa64af81f33edae81b0a8ebfb6ea217e2f`
SHA3	`38aeaeb1e3e74a5045b4c09924bdc9d0dcbc4f3203915428b537b4792b06e277`

13

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x41ec`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.9889`
MD5	`cadcc7ea943eae6c25dd1ccf557f81e8`
SHA1	`8a450d18875a17c9646552fb0a7fbea1c0a4446a`
SHA256	`663f0cf379de47752308412b35028a58c3bea1c2c26f5340cdbbdd39b515320f`
SHA3	`21cc126ae7836960acc2a56653620306d6fe976174becf2f775594467137efe5`

14

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1a8bc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99807`
MD5	`0fead75944c8763035db190a62619e95`
SHA1	`f935ed4d9b5c91ba982b26441539ef23808b9e11`
SHA256	`e008afbb1108d5670b2fbd8965d524e0bd536bf815eb5f66f78817a5230caa60`
SHA3	`abc2468e4b24356d64786e10a7a90a7e54ce55d9c5924fc52e927fc9d622a0cc`

60481

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.72872`
Detected Filetype	Icon file
MD5	`1cdf61b25111bd3d901289e10b4135d6`
SHA1	`ba1d1150249d57622a19ad58458c37858c29d47a`
SHA256	`165fff89b77366578f475c90491d8000e6b7eb7595aaa4f71ae0266f1ec06380`
SHA3	`60de97b33d36d451c049fde410872d809716901973cd891fbaf73f16e9922131`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x364`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.41945`
MD5	`03fbc72fa0a4df109ec12c7496698ca9`
SHA1	`5d6571de2aa75dcf15af4d0e5ce6173aaf9da883`
SHA256	`8caa97145917a5602126d36b565002b0d51f16514bc8af6791542cf9c4ac4eba`
SHA3	`bad63ca61168769048ece6a6acc98075b6e255941de6bb492af3733c89adc50b`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x1a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.8947`
MD5	`bec2e3ab2e89b8af76d482a0543b2b78`
SHA1	`871dc170c1b6e2b56391a1f95ed7ea93bdc8761e`
SHA256	`e253700137fe6be0b8f436b3e5c4b889959ea182a2c4e22c7f54680a9833af96`
SHA3	`02a9f62c48321f8b3a237f2591f9b3a4347a717808719fce36a2173cacec4fb1`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	99.98.13.61
ProductVersion	99.98.13.0
FileFlags	`(EMPTY)`
FileOs	`(EMPTY)`
FileType	`VFT_APP`
Language	English - United States
FileDescription	Unicode name dll for richedit 1.0. windows sockets helper dll.
InternalName	koched
OriginalFilename	koched
CompanyName	Lumin Mv cies pv Co
LegalCopyright	(C) 2027 Lumin Mv cies pv Co. All rights reserved.
ProductName	koched
FileVersion (#2)	99.98.13.61
ProductVersion (#2)	99.98.13

Resource LangID	English - United States

TLS Callbacks

StartAddressOfRawData	`0x18018b238`
EndAddressOfRawData	`0x18018b240`
AddressOfIndex	`0x18009512c`
AddressOfCallbacks	`0x18018b240`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x000000018018B1EA`

Load Configuration

RICH Header

Errors

[!] Error: Could not read the exported DLL name.
[*] Warning: Section UPX0 has a size of 0!
[*] Warning: Yara callback received an unhandled message (6).

Leave a comment

No comments yet.