Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2024-Apr-26 22:54:17 |
Detected languages |
English - United States
|
TLS Callbacks | 1 callback(s) detected. |
CompanyName | www.koala.com |
FileDescription | Koala app |
FileVersion | 6.31.4 |
LegalCopyright | Copyright (C) 2011-2024 Koalancha |
OriginalFilename | koala.exe |
ProductName | Koala |
ProductVersion | 6.31.4 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to mining pools:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to SHA1 Uses constants related to SHA256 Uses constants related to SHA512 Uses constants related to AES Uses constants related to Blowfish Uses constants related to base58 Uses known Diffie-Helman primes Uses known Mersenne Twister constants Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. |
Unusual section name found: _RANDOMX
Unusual section name found: _TEXT_CN Unusual section name found: _TEXT_CN |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 34/72 (Scanned on 2024-04-26 22:56:28) |
ALYac:
DeepScan:Generic.Application.CoinMiner.1.DE1A04F3
APEX: Malicious AVG: Win32:Miner-HM [PUP] AhnLab-V3: Trojan/Win.Miner3.R512976 Antiy-AVL: Trojan/Win64.CoinMiner.xmr Arcabit: DeepScan:Generic.Application.CoinMiner.1.DE1A04F3 Avast: Win32:Miner-HM [PUP] Avira: PUA/CoinMiner.Gen BitDefender: DeepScan:Generic.Application.CoinMiner.1.DE1A04F3 Bkav: W64.AIDetectMalware ClamAV: Win.Trojan.Coinminer-9866537-0 Cynet: Malicious (score: 99) DeepInstinct: MALICIOUS ESET-NOD32: a variant of Win64/CoinMiner.IZ potentially unwanted Elastic: malicious (high confidence) Emsisoft: DeepScan:Generic.Application.CoinMiner.1.DE1A04F3 (B) F-Secure: PotentialRisk.PUA/CoinMiner.Gen FireEye: Generic.mg.524a748290ddb8fc GData: DeepScan:Generic.Application.CoinMiner.1.DE1A04F3 Google: Detected Gridinsoft: Trojan.Win64.CoinMiner.mz!s6 Ikarus: PUA.CoinMiner Kaspersky: not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen MAX: malware (ai score=81) Malwarebytes: Generic.Malware.AI.DDS MicroWorld-eScan: DeepScan:Generic.Application.CoinMiner.1.DE1A04F3 Sangfor: Trojan.Win32.Save.a SentinelOne: Static AI - Malicious PE Skyhigh: BehavesLike.Win64.CoinMiner.vh Sophos: XMRig Miner (PUA) Symantec: ML.Attribute.HighConfidence VIPRE: DeepScan:Generic.Application.CoinMiner.1.DE1A04F3 ZoneAlarm: not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen alibabacloud: Miner:Win/CoinMiner.HPC |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x120 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 10 |
TimeDateStamp | 2024-Apr-26 22:54:17 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x41f800 |
SizeOfInitializedData | 0x49b000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00000000003E686C (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x8c1000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
WS2_32.dll |
WSASetLastError
send recv ntohs htons htonl inet_addr inet_ntoa gethostbyaddr WSAGetLastError WSAIoctl gethostbyname WSARecvFrom WSASocketW WSASend WSARecv gethostname WSADuplicateSocketW getpeername FreeAddrInfoW GetAddrInfoW shutdown socket setsockopt listen connect closesocket bind WSACleanup WSAStartup select getsockopt getsockname ioctlsocket getservbyname getservbyport |
---|---|
IPHLPAPI.DLL |
GetAdaptersAddresses
|
USERENV.dll |
GetUserProfileDirectoryW
|
CRYPT32.dll |
CertFreeCertificateContext
CertFindCertificateInStore CertEnumCertificatesInStore CertCloseStore CertOpenStore CertGetCertificateContextProperty CertDuplicateCertificateContext |
KERNEL32.dll |
RtlLookupFunctionEntry
RtlVirtualUnwind UnhandledExceptionFilter WriteConsoleW SetConsoleTitleA GetStdHandle SetConsoleMode GetConsoleMode QueryPerformanceFrequency QueryPerformanceCounter SizeofResource LockResource LoadResource FindResourceW ExpandEnvironmentStringsA GetConsoleWindow GetSystemFirmwareTable HeapFree HeapAlloc GetProcessHeap MultiByteToWideChar SetPriorityClass GetCurrentProcess SetThreadPriority GetSystemPowerStatus GetCurrentThread GetProcAddress GetModuleHandleW GetTickCount CloseHandle FreeConsole VirtualProtect VirtualFree VirtualAlloc GetLargePageMinimum LocalAlloc GetLastError LocalFree FlushInstructionCache GetCurrentThreadId AddVectoredExceptionHandler DeviceIoControl GetModuleFileNameW CreateFileW SetLastError GetSystemTime SystemTimeToFileTime GetModuleHandleExW Sleep InitializeSRWLock ReleaseSRWLockExclusive ReleaseSRWLockShared AcquireSRWLockExclusive AcquireSRWLockShared TlsAlloc TlsGetValue TlsSetValue TlsFree GetSystemInfo SwitchToFiber DeleteFiber CreateFiberEx FindClose FindFirstFileW FindNextFileW WideCharToMultiByte GetSystemDirectoryA FreeLibrary LoadLibraryA FormatMessageA GetFileType WriteFile GetEnvironmentVariableW GetACP ConvertFiberToThread ConvertThreadToFiberEx GetCurrentProcessId GetSystemTimeAsFileTime LoadLibraryW ReadConsoleA ReadConsoleW PostQueuedCompletionStatus CreateFileA DuplicateHandle SetEvent ResetEvent WaitForSingleObject CreateEventA QueueUserWorkItem RegisterWaitForSingleObject UnregisterWait GetNumberOfConsoleInputEvents ReadConsoleInputW FillConsoleOutputCharacterW FillConsoleOutputAttribute GetConsoleCursorInfo SetConsoleCursorInfo GetConsoleScreenBufferInfo SetConsoleCursorPosition SetConsoleTextAttribute WriteConsoleInputW CreateDirectoryW FlushFileBuffers GetDiskFreeSpaceW GetFileAttributesW GetFileInformationByHandle SetUnhandledExceptionFilter IsProcessorFeaturePresent GetFullPathNameW ReadFile RemoveDirectoryW SetFilePointerEx SetFileTime MapViewOfFile FlushViewOfFile UnmapViewOfFile CreateFileMappingA ReOpenFile CopyFileW MoveFileExW CreateHardLinkW GetFileInformationByHandleEx CreateSymbolicLinkW TryAcquireSRWLockExclusive InitializeCriticalSection EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeConditionVariable WakeConditionVariable WakeAllConditionVariable SleepConditionVariableCS ReleaseSemaphore ResumeThread GetNativeSystemInfo GetProcessAffinityMask SetThreadAffinityMask CreateSemaphoreA SetConsoleCtrlHandler RtlUnwind GetLongPathNameW GetShortPathNameW CreateIoCompletionPort ReadDirectoryChangesW GetEnvironmentStringsW FreeEnvironmentStringsW SetEnvironmentVariableW SetCurrentDirectoryW GetTempPathW GlobalMemoryStatusEx FileTimeToSystemTime K32GetProcessMemoryInfo SetHandleInformation CancelIoEx CancelIo SwitchToThread SetFileCompletionNotificationModes LoadLibraryExW SetErrorMode GetQueuedCompletionStatus ConnectNamedPipe SetNamedPipeHandleState PeekNamedPipe CreateNamedPipeW CancelSynchronousIo GetNamedPipeHandleStateA GetNamedPipeClientProcessId GetNamedPipeServerProcessId TerminateProcess GetExitCodeProcess UnregisterWaitEx LCMapStringW DebugBreak GetModuleHandleA LoadLibraryExA GetStartupInfoW GetModuleFileNameA GetVersionExA SetProcessAffinityMask GetComputerNameA RtlCaptureContext GetStringTypeW GetCPInfo CompareStringEx LCMapStringEx DecodePointer EncodePointer IsDebuggerPresent GetFinalPathNameByHandleW InitializeSListHead RtlUnwindEx RtlPcToFileHeader RaiseException InitializeCriticalSectionAndSpinCount SetStdHandle GetCommandLineA GetCommandLineW CreateThread ExitThread FreeLibraryAndExitThread GetDriveTypeW SystemTimeToTzSpecificLocalTime ExitProcess GetFileAttributesExW SetFileAttributesW GetConsoleOutputCP FlsAlloc FlsGetValue FlsSetValue FlsFree CompareStringW GetLocaleInfoW IsValidLocale GetUserDefaultLCID EnumSystemLocalesW HeapReAlloc GetTimeZoneInformation HeapSize SetEndOfFile FindFirstFileExW IsValidCodePage GetOEMCP GetFileSizeEx GetCurrentDirectoryW InitializeCriticalSectionEx SleepConditionVariableSRW WaitForSingleObjectEx GetExitCodeThread |
USER32.dll |
GetLastInputInfo
MessageBoxW GetProcessWindowStation TranslateMessage GetUserObjectInformationW ShowWindow DispatchMessageA GetSystemMetrics MapVirtualKeyW GetMessageA |
SHELL32.dll |
SHGetSpecialFolderPathA
|
ole32.dll |
CoInitializeEx
CoUninitialize CoCreateInstance |
ADVAPI32.dll |
SystemFunction036
GetUserNameW ReportEventW RegisterEventSourceW DeregisterEventSource CryptEnumProvidersW CryptSignHashW CryptDestroyHash CryptCreateHash CryptDecrypt CryptExportKey CryptGetUserKey CryptGetProvParam CryptSetHashParam CryptDestroyKey CryptReleaseContext CryptAcquireContextW CreateServiceW QueryServiceStatus CloseServiceHandle OpenSCManagerW QueryServiceConfigA DeleteService ControlService StartServiceW OpenServiceW LookupPrivilegeValueW AdjustTokenPrivileges OpenProcessToken LsaOpenPolicy LsaAddAccountRights LsaClose GetTokenInformation |
bcrypt.dll |
BCryptGenRandom
|
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.31.4.0 |
ProductVersion | 6.31.4.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | UNKNOWN |
CompanyName | www.koala.com |
FileDescription | Koala app |
FileVersion (#2) | 6.31.4 |
LegalCopyright | Copyright (C) 2011-2024 Koalancha |
OriginalFilename | koala.exe |
ProductName | Koala |
ProductVersion (#2) | 6.31.4 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2024-Apr-26 22:54:17 |
Version | 0.0 |
SizeofData | 1216 |
AddressOfRawData | 0x5907a8 |
PointerToRawData | 0x58f3a8 |
StartAddressOfRawData | 0x140590cb0 |
---|---|
EndAddressOfRawData | 0x140590cd8 |
AddressOfIndex | 0x140860304 |
AddressOfCallbacks | 0x140421df8 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_8BYTES
|
Callbacks |
0x00000001403E6594
|
Size | 0x140 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x1405ca140 |
XOR Key | 0xd6a46f06 |
---|---|
Unmarked objects | 0 |
ASM objects (30795) | 7 |
C++ objects (30795) | 204 |
Unmarked objects (#2) | 1 |
C objects (33218) | 19 |
ASM objects (33218) | 18 |
C++ objects (33218) | 98 |
C objects (30795) | 22 |
C objects (33523) | 18 |
Total imports | 386 |
Imports (30795) | 23 |
C objects (30154) | 800 |
C++ objects (LTCG) (33523) | 264 |
ASM objects (33523) | 3 |
Resource objects (33523) | 1 |
151 | 1 |
Linker (33523) | 1 |