Manalyze report for 5c35a91243023fd9bde2ae1808a77c2f

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Jan-09 11:38:31
Detected languages	English - United States
TLS Callbacks	2 callback(s) detected.
Debug artifacts	E:\workplace\Androws\p-4ff796941325489e9c426b6fb216f108\build\bin\Release\AndrowsAssistant.pdb
CompanyName	Tencent
FileDescription	腾讯应用宝
FileVersion	`1.0.1990.0`
LegalCopyright	Copyright (C) 2022 Tencent. All Rights Reserved.
InternalName	Androws
ProductName	Androws
ProductVersion	`1.0.1990.0`

Plugin Output

Info	Interesting strings found in the binary:	Contains domain names: .H.pI.ir .IYi.T.es .cR.O.it .d.MS7.ru .myqcloud.com .qGga.au 3g.qq.com A.q.K.uk C.H4KY.Bi.ca H4KY.Bi.ca I.uZ.F.uk IYi.T.es KE7z.o.AKm2.uk L.r2C.br Q.k.bd.D.nl R.Q.Q.uk U.R.Q.Q.uk U.a.d.de WI.aad.d.de Xr.d.r4.us Z.Mv.v.tk aad.d.de ar8.q.br d.MS7.ru html5.qq.com http://www.w3.org http://www.w3.org/2000/svg https://yybadaccess.3g.qq.com https://yybadaccess.3g.qq.com/v3/pcyyb_get_cos_conf https://yybadaccess.3g.qq.com/v3/pcyyb_get_rainbow_conf https://yybadaccess.sparta.html5.qq.com https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_get_cos_conf https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_get_rainbow_conf k.bd.D.nl mI.Z0I4.ru myqcloud.com o.AKm2.uk sparta.html5.qq.com t.y1H.ru tID.f.se taua.Q.k.bd.D.nl wbI.z.U.a.d.de www.w3.org yybadaccess.3g.qq.com yybadaccess.sparta.html5.qq.com z.U.a.d.de
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA1`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryW GetProcAddress` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegCloseKey RegQueryValueExW RegOpenKeyExW RegSetValueExW RegCreateKeyExW` `Possibly launches other programs: CreateProcessA` `Can create temporary files: CreateFileA GetTempPathA GetTempPathW CreateFileW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Manipulates other processes: Process32FirstW Process32NextW OpenProcess`
Malicious	VirusTotal score: 23/71 (Scanned on 2024-05-14 12:18:54)	`AVG: Win64:MalwareX-gen [Trj]` `AhnLab-V3: Trojan/Win.Generic.C5621681` `Antiy-AVL: Trojan[Backdoor]/Win32.Cobalt` `Avast: Win64:MalwareX-gen [Trj]` `Avira: TR/AVI.Agent.sxzag` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/Agent_AGen.BSH` `F-Secure: Trojan.TR/AVI.Agent.sxzag` `Fortinet: W64/Agent_AGen.BSH!tr` `GData: Win64.Trojan.Agent.6VY0IB` `Google: Detected` `Ikarus: Trojan.Win64.Agent` `K7GW: Trojan ( 005b57581 )` `Kaspersky: VHO:Backdoor.Win32.Cobalt.gen` `Kingsoft: Win32.Hack.Cobalt.gen` `Lionic: Trojan.Win32.Cobalt.m!c` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Rising: Backdoor.Cobalt!8.1233E (TFE:5:4s5NDUib3nB)` `Sangfor: Backdoor.Win32.Cobalt.Vpvv` `Sophos: Mal/Generic-S` `Symantec: Trojan.Gen.MBT` `Varist: W64/ABRisk.KGEM-9291` `ZoneAlarm: VHO:Backdoor.Win32.Cobalt.gen`

Hashes

MD5	`5c35a91243023fd9bde2ae1808a77c2f`
SHA1	`e05b182237ff23e8fef304f88f635fa3c0f236cb`
SHA256	`2cd9936fbdd2b98d1abfe9396341501223d35aa43b88a8ca1337dca36f4553ed`
SHA3	`c1d76b6a9cce43731db6ba4d09597a6e4dc4924a80d9a7a8abaddcd2da4ab669`
SSDeep	`49152:DsN4biAC+v6saSeF5/u9jZ429UyFXcGRT1MuPyCCRHpm87iB2cBFk5hTfw7eFeA:wR/wUYh1WUuD`
Imports Hash	`4d46148568bc2fc6787efc8e7b54209d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x158`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2024-Jan-09 11:38:31
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1ca800`
SizeOfInitializedData	`0xa9600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000182360 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x414000`
SizeOfHeaders	`0x400`
Checksum	`0x41a539`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ad6d1615e77864358d3c9321ec2f0398`
SHA1	`c55c17c8c818697689c0f9edf7da7b95a3fd98d3`
SHA256	`4988e361a3154478cca83c9ae2e3f0ebd66ffd7075e41b9031c63f601d08215e`
SHA3	`66f18f4f6a37b586757822307e978569dcf3367fcb810389fe659c72140632da`
VirtualSize	`0x1ca698`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1ca800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.42463`

.rdata

MD5	`af3b76140c8bf6139cfada931da0f458`
SHA1	`a556eb64d24a203a48d6dfa427c2b051517fbaf3`
SHA256	`d8c854aa589b1b5fe84ec6fcab9a5c07dbb3d8592b712a2d799c8ac49b2f0bfe`
SHA3	`a406defad804c6e90de6ffdbc43bbb366a63944ec213e49666452af92fede85b`
VirtualSize	`0x6f8e8`
VirtualAddress	`0x1cc000`
SizeOfRawData	`0x6fa00`
PointerToRawData	`0x1cac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.18543`

.data

MD5	`a5718e19166152f1e8c45e6716a0136f`
SHA1	`fafe37bd57353ae383011a2ce13907567e8ef99e`
SHA256	`5499a3bb5e3becb1ff9805ab78eb97ef568c337f01ea6a91699ac391ecead92a`
SHA3	`171c0e7d50633fdc49e74eb0eacd382852bdad2cec3f14700ca97558539cbf7d`
VirtualSize	`0x1fb14`
VirtualAddress	`0x23c000`
SizeOfRawData	`0x1a600`
PointerToRawData	`0x23a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.26981`

.pdata

MD5	`1afd0a6c6b45902bcf876b5787334873`
SHA1	`54f855dad9511e2ea818a879587675e4891ae2bf`
SHA256	`ec41928bf46a07800f73a371a7db8123e07400c08bf4543a5f9429d760e74c4e`
SHA3	`15650eb21275f935422ba0e19b3f3fc0aa0a4eaf0b24cdb34f736fbdf0bdef0c`
VirtualSize	`0x18114`
VirtualAddress	`0x25c000`
SizeOfRawData	`0x18200`
PointerToRawData	`0x254c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.00346`

.rsrc

MD5	`11c32fcfcbb9fe56b156c51dc1ab174f`
SHA1	`ed78d55a1ccf1393ae2f418c792988b446140824`
SHA256	`e311c29eb7b5a37458a16eae24ec7080163322d98877748e5add1e2c188d0b0f`
SHA3	`cdae6541ab02eefdd902c5ade543c810ac4cf66dcbaf1ea84cf9037b90b36fe9`
VirtualSize	`0x19b200`
VirtualAddress	`0x275000`
SizeOfRawData	`0x19b400`
PointerToRawData	`0x26ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.60839`

.reloc

MD5	`e48bbc99e6f38d4543d12f828071f180`
SHA1	`fe76a40bbca2c959c6995b2fec1b967724cc7ffa`
SHA256	`09198bd5e1aa5bf40e5002cbfcb3d092bca5ac5d0ee5063a40d4ba7c869fc9ea`
SHA3	`9c51513941dc0755423ee9560be8aef6455f57ef9e59bef4f019d8e84dd73500`
VirtualSize	`0x2920`
VirtualAddress	`0x411000`
SizeOfRawData	`0x2a00`
PointerToRawData	`0x408200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.43309`

Imports

KERNEL32.dll	`RtlCaptureContext` `ResetEvent` `InitializeCriticalSectionAndSpinCount` `InitOnceBeginInitialize` `InitOnceComplete` `GetCPInfoExW` `FindFirstFileExW` `SetFileInformationByHandle` `IsDebuggerPresent` `GetStartupInfoW` `CopyFileW` `GetFileInformationByHandleEx` `ReleaseSRWLockExclusive` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `InitializeSListHead` `AcquireSRWLockShared` `ReleaseSRWLockShared` `AcquireSRWLockExclusive` `RtlLookupFunctionEntry` `FlushFileBuffers` `QueryPerformanceCounter` `FormatMessageA` `GetSystemTime` `GetSystemTimeAsFileTime` `SystemTimeToFileTime` `LockFileEx` `LocalFree` `UnlockFile` `HeapCompact` `DeleteFileA` `WaitForSingleObjectEx` `LoadLibraryA` `CreateFileA` `FlushViewOfFile` `OutputDebugStringW` `GetFileAttributesA` `GetDiskFreeSpaceA` `FormatMessageW` `GetTempPathA` `HeapValidate` `UnlockFileEx` `GetFullPathNameA` `InitializeCriticalSection` `LeaveCriticalSection` `LockFile` `OutputDebugStringA` `GetDiskFreeSpaceW` `GetFullPathNameW` `EnterCriticalSection` `HeapCreate` `TryEnterCriticalSection` `AreFileApisANSI` `VirtualFree` `VirtualAlloc` `GetTickCount` `GetCurrentThreadId` `GetTempPathW` `SetFileAttributesW` `CreateDirectoryW` `MoveFileExW` `GetFileInformationByHandle` `SetFilePointer` `SetEndOfFile` `GetFileSize` `FindNextFileW` `FindFirstFileW` `FindClose` `CreateSemaphoreW` `ReleaseSemaphore` `UnmapViewOfFile` `MapViewOfFile` `OpenFileMappingW` `CreateFileMappingW` `VirtualQuery` `SignalObjectAndWait` `CreateMutexW` `GetCommandLineA` `WideCharToMultiByte` `FreeLibrary` `LoadLibraryW` `GetFileAttributesExW` `GetModuleHandleA` `GetLocaleInfoW` `GetModuleFileNameW` `GetSystemDirectoryW` `GetCommandLineW` `Process32FirstW` `Process32NextW` `CreateToolhelp32Snapshot` `OpenProcess` `TerminateProcess` `OpenMutexA` `ReleaseMutex` `GetExitCodeProcess` `SetEvent` `Sleep` `CreateEventW` `CreateProcessA` `GetModuleHandleW` `IsProcessorFeaturePresent` `GetProcAddress` `GetActiveProcessorCount` `GetSystemInfo` `CloseHandle` `DeleteFileW` `GetFileAttributesW` `CreateFileW` `WaitForSingleObject` `PeekNamedPipe` `CreatePipe` `WriteFile` `GetCurrentProcess` `ReadFile` `GlobalMemoryStatusEx` `GetPhysicallyInstalledSystemMemory` `GetProcessHeap` `DeleteCriticalSection` `HeapDestroy` `HeapAlloc` `HeapReAlloc` `GetLastError` `MultiByteToWideChar` `HeapSize` `InitializeCriticalSectionEx` `HeapFree` `VirtualProtect`
USER32.dll	`ReleaseDC` `EnumDisplayDevicesA` `DefWindowProcW` `DestroyWindow` `CreateWindowExW` `RegisterClassW` `UnregisterClassW` `GetWindowRect` `GetDC` `GetSystemMetrics` `GetForegroundWindow`
GDI32.dll	`SetPixelFormat` `GetDeviceCaps` `ChoosePixelFormat`
SHELL32.dll	`CommandLineToArgvW` `ShellExecuteExW` `SHGetFolderPathW`
ole32.dll	`CoCreateGuid`
OLEAUT32.dll	`SysAllocString` `SysAllocStringLen` `SysFreeString`
ADVAPI32.dll	`InitializeSecurityDescriptor` `SetSecurityDescriptorDacl` `RegCloseKey` `OpenProcessToken` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `GetTokenInformation` `RegQueryValueExW` `RegOpenKeyExW` `RegSetValueExW` `RegCreateKeyExW`
SHLWAPI.dll	`PathFileExistsW` `PathAppendW` `StrRChrW` `StrCpyNW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x442e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.79981`
Detected Filetype	PNG graphic file
MD5	`bf6592e0d40340612f522d1ff0ba25c3`
SHA1	`c68cce4249c6b9a3741fa801b7ca11f1dcaf7a2d`
SHA256	`9e1b82751e2d84b3210e460f76b70247551029aa13a1a90994d133a5a645aa3b`
SHA3	`8c9bd58c20e58ca7cf44e3abebd88f7d0dde885628ebbb2909a51dd637e705da`

11

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.51664`
Detected Filetype	Icon file
MD5	`897850a49c45e7df1add4e31b518fcef`
SHA1	`4d8b19f1c87816ff39f10ea5d4fe979af282c72d`
SHA256	`f2309474234af88ed847829e056e291065ef2bf4e9a14e944b49bbe0f95b4e69`
SHA3	`9618a52a6a9573c74a9ea78b23b1007a53710c0c90ecfdb244c7b5a3fc2ab4ef`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2ac`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40638`
MD5	`0a7e940b97035086fc96488dc5f5cc48`
SHA1	`96b3c9ccf7b5e496b445928d36ebeae8345d208f`
SHA256	`68f58c432ce4cfa733ccd39375212cf4771a605640c481d40005058ea3ac9a0a`
SHA3	`b0b6de35e54f255390f8b297ea4d250f164d01ba5692ed90716e3c67ba6b9dc2`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.1990.0
ProductVersion	1.0.1990.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Tencent
FileDescription	腾讯应用宝
FileVersion (#2)	1.0.1990.0
LegalCopyright	Copyright (C) 2022 Tencent. All Rights Reserved.
InternalName	Androws
ProductName	Androws
ProductVersion (#2)	1.0.1990.0

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Jan-09 11:38:31
Version	`0.0`
SizeofData	`119`
AddressOfRawData	`0x211640`
PointerToRawData	`0x210240`
Referenced File	E:\workplace\Androws\p-4ff796941325489e9c426b6fb216f108\build\bin\Release\AndrowsAssistant.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2024-Jan-09 11:38:31
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x2116b8`
PointerToRawData	`0x2102b8`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Jan-09 11:38:31
Version	`0.0`
SizeofData	`1028`
AddressOfRawData	`0x2116cc`
PointerToRawData	`0x2102cc`

TLS Callbacks

StartAddressOfRawData	`0x140211af0`
EndAddressOfRawData	`0x140211c71`
AddressOfIndex	`0x14025af80`
AddressOfCallbacks	`0x1401d2740`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES`
Callbacks	`0x00000001401825AC` `0x0000000140182374`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14024cdb8`

RICH Header

XOR Key	`0x54a12fbb`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`20`
Imports (VS2017 v15.8.9 compiler 26732)	`8`
C objects (30034)	`10`
ASM objects (30034)	`4`
C++ objects (30034)	`43`
Imports (30034)	`6`
253 (28518)	`7`
C++ objects (CVTCIL) (27412)	`1`
C objects (27412)	`4`
C objects (CVTCIL) (27412)	`1`
Imports (VS2019 Update 11 (16.11.16-17) compiler 30146)	`12`
C++ objects (VS2019 Update 11 (16.11.6-7) compiler 30137)	`28`
C objects (VS2019 Update 11 (16.11.6-7) compiler 30137)	`1`
C++ objects (VS2019 Update 11 (16.11.16-17) compiler 30146)	`27`
C++ objects (30151)	`8`
Imports (27412)	`21`
Total imports	`1272`
C++ objects (LTCG) (VS2019 Update 11 (16.11.16-17) compiler 30146)	`63`
Exports (VS2019 Update 11 (16.11.16-17) compiler 30146)	`1`
Resource objects (VS2019 Update 11 (16.11.16-17) compiler 30146)	`1`
151	`1`
Linker (VS2019 Update 11 (16.11.16-17) compiler 30146)	`1`

5c35a91243023fd9bde2ae1808a77c2f

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

11

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors