56a53d20e12aca30f15647fbea165c51

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1970-Jan-01 00:00:00

Plugin Output

Suspicious PEiD Signature: HQR data file
Info Interesting strings found in the binary: Contains domain names:
  • golang.org
  • http://193.233.74.20
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Suspicious The PE is possibly packed. Unusual section name found: .xdata
Unusual section name found: .symtab
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • LoadLibraryExW
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Malicious VirusTotal score: 9/70 (Scanned on 2024-02-11 11:45:51) Bkav: W64.AIDetectMalware
CrowdStrike: win/malicious_confidence_90% (D)
Cynet: Malicious (score: 100)
Elastic: malicious (moderate confidence)
Google: Detected
Ikarus: Trojan.WinGo.Shellcoderunner
Jiangmin: Trojan.Khalesi.bice
Microsoft: Trojan:Win32/Sabsik.FL.B!ml
Symantec: ML.Attribute.HighConfidence

Hashes

MD5 56a53d20e12aca30f15647fbea165c51
SHA1 f4be0478a00d2bf42556250533065473ec215898
SHA256 5dc232379edb233affaff15acb4a9c82c06cb79a1995d618935bbaac20ecbd49
SHA3 28c0a9be8c433ad5fcc015d09ff2f238d95d360603c7ec2908e1351e3459475f
SSDeep 49152:u6XeVJk2/0XnVmPtAm6S9L5pT9YkMcZ07R8JzbkqzGIBCPdNfyhe3vk5Emg3Eqx:DK70XnVm3p5JnzG4xEnUWzhw
Imports Hash 4f2f006e2ecf7172ad368f8289dc96c1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0x8b
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 8
TimeDateStamp 1970-Jan-01 00:00:00
PointerToSymbolTable 0x52dc00
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 3.0
SizeOfCode 0x28fa00
SizeOfInitializedData 0x34c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000005C580 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 1.0
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x594000
SizeOfHeaders 0x600
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x200000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 9bdf23f46ffbe544c4dccabeb3da7ddf
SHA1 3eb2c47a6f0340c0381b38d4430106c8d5af9f0e
SHA256 f7043f4d4d2a15a43311c7c88c5b542658782e15fdd3871e03ba3af1ae76bfd2
SHA3 372c95639d4a0b824be62836660f447714b1fba340f34e21302ad67281aa0249
VirtualSize 0x28f94b
VirtualAddress 0x1000
SizeOfRawData 0x28fa00
PointerToRawData 0x600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.22552

.rdata

MD5 427aee153547a602a1ca344d5dcb3e5f
SHA1 d7bc66e30a11e1265ceba11331da6e0b3edfefe3
SHA256 322da170c2c3084b899033810632b3293649940e22c8ce8c5a1bb67728f62027
SHA3 55d78e9ae519d82021c7506f45c637a3567af9de235b7a3ba8971e9c9a1d2fd9
VirtualSize 0x24ebe0
VirtualAddress 0x291000
SizeOfRawData 0x24ec00
PointerToRawData 0x290000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.3815

.data

MD5 46c5debae2c9f6f126adbc6a6ead2e38
SHA1 0422a3bf8c7b30e3b9be73825508369b192a23c4
SHA256 903dce4ea2e2b4805f5567e820b908bb7dddeb012607119b7fcd916b7a57afd9
SHA3 ef21826c430a37cb95238f4bae27446dca804c2e6c20d3b23885c42ab82dff90
VirtualSize 0x95c58
VirtualAddress 0x4e0000
SizeOfRawData 0x34c00
PointerToRawData 0x4dec00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.3157

.pdata

MD5 a4fd2fb648dcd6e4a935c202b07b009e
SHA1 955aaeb59547996b35edf9c39d8b1c2b1933cfab
SHA256 2a91aa608c4ecbfb5e512fd5db6a81c46f953e4c8ee829e2c855103f827bb048
SHA3 3d57b2a2fa4bdcfe8952b1f1cadf3fdbf560e828e3b0f1684e32d757b7a6e842
VirtualSize 0xe7c0
VirtualAddress 0x576000
SizeOfRawData 0xe800
PointerToRawData 0x513800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.50537

.xdata

MD5 2a5152ffc3a52ca1d276acd572c41b9a
SHA1 93d684d0586af04bfa48b4a80baf60df47d126a9
SHA256 067f22b5fb7c0a4b3b02a1a08cfa2d20c0970e2c6d7278f9c644caf4da7be097
SHA3 c0198aa0d049e05872b21204a5c3aeec852b36f585d7bac10f4005747cee8018
VirtualSize 0xa8
VirtualAddress 0x585000
SizeOfRawData 0x200
PointerToRawData 0x522000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.63451

.idata

MD5 ad468e989d34970ca8e15567084acebf
SHA1 2ae8569ee47094ac9b3ffe73a584497e7f183277
SHA256 8a9e4d996b097aad37c12274427421051cb4b5e94d63ab4fef821501bf7097c3
SHA3 02af9558af20cf457e0b1ea2cca172e1d7ee183c977ed52a45d48dd15a0a6f9e
VirtualSize 0x516
VirtualAddress 0x586000
SizeOfRawData 0x600
PointerToRawData 0x522200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.85612

.reloc

MD5 993a35c71ff8dcffef60fbcf35ed299a
SHA1 05bafe68bc7c6702233d23477ed5a71ca4fdcf1f
SHA256 fd692aad8bb1c9572d3fad21df78a021e6e842c1ddd440c0277fb916332aea5e
SHA3 c8aa7730c2d87c07f99394b9f9b71d4137d2390d3c681cc96b153568b43e2b96
VirtualSize 0xb30a
VirtualAddress 0x587000
SizeOfRawData 0xb400
PointerToRawData 0x522800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.4339

.symtab

MD5 07b5472d347d42780469fb2654b7fc54
SHA1 943ae54f4818e52409fbbaf60ffd71318d966b0d
SHA256 3e67f4a7d14b832ff2a2433e9cf0f6f5720821f67148a87c0ee2595a20c96c68
SHA3 a70a3e18515c06557b62676f2a8eb6d7d41962d8c9c7c49f4641c429cc65b977
VirtualSize 0x4
VirtualAddress 0x593000
SizeOfRawData 0x200
PointerToRawData 0x52dc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.0203931

Imports

kernel32.dll WriteFile
WriteConsoleW
WerSetFlags
WerGetFlags
WaitForMultipleObjects
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
TlsAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
RaiseFailFastException
PostQueuedCompletionStatus
LoadLibraryW
LoadLibraryExW
SetThreadContext
GetThreadContext
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatusEx
GetProcessAffinityMask
GetProcAddress
GetErrorMode
GetEnvironmentStringsW
GetCurrentThreadId
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerExW
CreateThread
CreateIoCompletionPort
CreateFileA
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors