d682643134287cbeae61b8dece4369707a2de483ddc5d4726227bfdeef269177

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2025-Mar-13 03:24:34
Detected languages English - United States

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to SHA256
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCloseKey
 Leverages the raw socket API to access the Internet:
  • WSAStartup
 Interacts with the certificate store:
  • CertOpenStore
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 6a9788328d8fd18bc433167489a3894b
SHA1 378096b6daab180c421feceaad3703ddc147e19a
SHA256 d682643134287cbeae61b8dece4369707a2de483ddc5d4726227bfdeef269177
SHA3 95ad8551dcb5fc5d7b18a2e34ada8d5cd32e24303d0d4c86358aa8f1d972bce8
SSDeep 49152:t6tz9NWMqTaZTufjkqUQ+VJY/rWruFTru78S9ns27OWxz7i0O2DuJJljr0EOiUl:t6tzy5TaZibKQ+o/rWrSHu78S9nvR1v
Imports Hash babd84eba6530b6362daafe3644d107d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x130

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 3
TimeDateStamp 2025-Mar-13 03:24:34
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x2ca000
SizeOfInitializedData 0x1000
SizeOfUninitializedData 0x16c000
AddressOfEntryPoint 0x0000000000436010 (Section: UPX1)
BaseOfCode 0x16d000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x438000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x16c000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 b71d738df1c3549e1139d5262fc367dc
SHA1 61214b57c85b536bf87cbe2e9f77e36c9712b49d
SHA256 e09de87c991df400d39572932cec63105e3e50ba4977703d9c7fbf93f49a452b
SHA3 f366ae275f8e5f08e91aabb0c4cfdc64e88170e310802913b4a00f318dcbd977
VirtualSize 0x2ca000
VirtualAddress 0x16d000
SizeOfRawData 0x2c9600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.86108

.rsrc

MD5 24e92fd437226f3460d1e0ce9689561f
SHA1 af0d1655fbe5acfd1c66578821f222b9fee03e89
SHA256 fd904032150ae7e177bee127757c83fb621e6d604d226e86bd8ad2b4042339d1
SHA3 f832e4da1c0f58053398520498f4554f49d417aa4d7028b6b1214fdd4c1a32af
VirtualSize 0x1000
VirtualAddress 0x437000
SizeOfRawData 0x600
PointerToRawData 0x2c9a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.4175

Imports

ADVAPI32.dll RegCloseKey
CRYPT32.dll CertOpenStore
d3d11.dll D3D11CreateDeviceAndSwapChain
D3DCOMPILER_43.dll D3DCompile
d3dx11_43.dll D3DX11CreateShaderResourceViewFromMemory
GDI32.dll GetDeviceCaps
IMM32.dll ImmGetContext
KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
Normaliz.dll IdnToAscii
USER32.dll GetDC
WLDAP32.dll #143
WS2_32.dll WSAStartup

Delayed Imports

?ReflectiveLoader@@YA_KPEAX@Z

Ordinal 1
Address 0x5160

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

TLS Callbacks

Load Configuration

Size 0x138
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x180370d08

RICH Header

XOR Key 0x5ebe7e4f
Unmarked objects 0
C objects (27412) 28
ASM objects (27412) 23
C++ objects (27412) 202
C++ objects (VS 2015/2017/2019 runtime 29913) 37
ASM objects (VS 2015/2017/2019 runtime 29913) 1
253 (28518) 7
C++ objects (30034) 87
C objects (30034) 17
ASM objects (30034) 10
C++ objects (30154) 3
C objects (VS2019 Update 2 (16.2) compiler 27905) 116
Imports (27412) 24
Imports (21202) 7
Total imports 357
C++ objects (30157) 54
Exports (30157) 1
Resource objects (30157) 1
Linker (30157) 1

Errors

[!] Error: Could not reach the TLS callback table. [*] Warning: Section UPX0 has a size of 0!
Leave a comment

No comments yet.