Manalyze report for 6afb0d25685e402770d8cf06067531a1

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Aug-20 16:07:50
Detected languages	English - United States
Debug artifacts	C:\Users\nicov\OneDrive\Desktop\User\x64\Release\User.pdb

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegSetValueExW RegQueryValueExW RegCloseKey RegEnumKeyExW RegOpenKeyExW` `Possibly launches other programs: CreateProcessW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Manipulates other processes: Process32FirstW Process32NextW OpenProcess`
Malicious	VirusTotal score: 46/70 (Scanned on 2022-04-03 14:13:51)	`Lionic: Trojan.Win32.DelShad.4!c` `Cynet: Malicious (score: 100)` `McAfee: Artemis!6AFB0D25685E` `Cylance: Unsafe` `Sangfor: Trojan.Win32.DelShad.grq` `K7AntiVirus: Riskware ( 0040eff71 )` `BitDefender: Gen:Variant.Bulz.651108` `K7GW: Riskware ( 0040eff71 )` `Symantec: Trojan.Gen.MBT` `Elastic: malicious (high confidence)` `ESET-NOD32: a variant of Win64/GenKryptik.FJSS` `APEX: Malicious` `Paloalto: generic.ml` `Kaspersky: Trojan.Win32.DelShad.grq` `Alibaba: Trojan:Win32/DelShad.53720acf` `MicroWorld-eScan: Gen:Variant.Bulz.651108` `Avast: Win64:Malware-gen` `Tencent: Win32.Trojan.Delshad.Wteh` `Ad-Aware: Gen:Variant.Bulz.651108` `Emsisoft: Gen:Variant.Bulz.651108 (B)` `F-Secure: Trojan.TR/AD.RansomHeur.trars` `DrWeb: Trojan.MulDrop19.12038` `Zillya: Trojan.GenKryptik.Win64.2145` `McAfee-GW-Edition: Artemis!Trojan` `FireEye: Gen:Variant.Bulz.651108` `Sophos: Mal/Generic-S` `Ikarus: Trojan.Win64.Meterpreter` `Jiangmin: Trojan.DelShad.btr` `Avira: TR/AD.RansomHeur.trars` `MAX: malware (ai score=88)` `Antiy-AVL: Trojan/Win32.DelShad` `Microsoft: Ransom:Win32/Aicat.A!ml` `Gridinsoft: Ransom.Win64.DelShad.sa` `Arcabit: Trojan.Bulz.D9EF64` `ZoneAlarm: Trojan.Win32.DelShad.grq` `GData: Gen:Variant.Bulz.651108` `AhnLab-V3: Trojan/Win.Generic.C4683663` `VBA32: Trojan.DelShad` `ALYac: Gen:Variant.Bulz.651108` `Malwarebytes: Trojan.Agent` `Rising: Trojan.DelShad!8.107D7 (CLOUD)` `MaxSecure: Trojan.Malware.300983.susgen` `Fortinet: W32/DelShad.GRQ!tr` `AVG: Win64:Malware-gen` `Panda: Trj/CI.A` `CrowdStrike: win/malicious_confidence_60% (W)`

Hashes

MD5	`6afb0d25685e402770d8cf06067531a1`
SHA1	`946da629f5843481397731089eb51d7b73ab225c`
SHA256	`9933611a7bfbcb0626681285b254cae765ef89347388f21385dedf9467f035f7`
SHA3	`7d2f949d76d8a37b54da9359da566ad4ccda0dcddbb168f7ba76d8e33dd23f7c`
SSDeep	`1536:XBWWn+NaZ+HKkANSjrhM4LuIa50fsS0VKjGZjA6TJqyin+sWKzd7m9dl7szsOP:xWWVfim4CIXsJVMGZjAwdiTpSBsoOP`
Imports Hash	`3a87042b0322c69742810e391255ba56`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2021-Aug-20 16:07:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x14600`
SizeOfInitializedData	`0xec00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000001D14 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x28000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0fdc5974c9e061ded2802fb721fec3f0`
SHA1	`1947a3033589ac4712ec20a0ebeb5bb67399b530`
SHA256	`f13b4ebca206be1a22ecbcfe0925167592f6a7a02b2c69711f49885c14ee3fcb`
SHA3	`229193263dc5c4eb58a855460c833ab0d2eca4de90dd22bd078e3c0cc71a9c88`
VirtualSize	`0x14470`
VirtualAddress	`0x1000`
SizeOfRawData	`0x14600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.47699`

.rdata

MD5	`9ac358e9f1f965c3205d04f64c8f95e0`
SHA1	`03f70a797b29cf8e15a47aa2d34af9b0b8a2d2d8`
SHA256	`80520db2d67fd712d27e22a48b3358fd66d93f33045caabfedb09cb55a45256a`
SHA3	`9653df9728a7aa8c376804f76624daf962828841f1dbbf477a5f506d96cef574`
VirtualSize	`0xabac`
VirtualAddress	`0x16000`
SizeOfRawData	`0xac00`
PointerToRawData	`0x14a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.98496`

.data

MD5	`8f6c6775d2f4f7060e099521b06e714d`
SHA1	`3be73f562d372ee9bc218e71ce6a3a54b4e09f6f`
SHA256	`56a1f5885654e78c7ef642b510dae31bee8082cea81b9527e15879b98df6c50e`
SHA3	`b43e1f7355a7efb83571ba4a43d9337e4073f5bc1d8bb32dbe717bc6b757d9f0`
VirtualSize	`0x1e50`
VirtualAddress	`0x21000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x1f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.79765`

.pdata

MD5	`eb7d1af605384101ef52e146fd9b3a19`
SHA1	`240596ba88173293a7276e1f8c561b26694fd4b6`
SHA256	`cc096645cfe757be1980222048db082611ff6fd142828621b7ec4ee3a5378f6d`
SHA3	`1380b8cdd6106fdb16359b71ced4a879e5e7c3e06cfe4bd32d1d71cd5f255586`
VirtualSize	`0x123c`
VirtualAddress	`0x23000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x20200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.69292`

_RDATA

MD5	`b34769e3b4370899a79f547e0521136c`
SHA1	`d349c45b1adf6585015aceedc8ad091601b4c953`
SHA256	`55d4cc8e9f3f5f005aa5979b3b402cc78e8f6c78bf119b00f69e265cd6b1d1c4`
SHA3	`7431dc6514a1721b944b727c2ceb7c7d1d2763f96185da2cc87bc7a6339b1919`
VirtualSize	`0x180`
VirtualAddress	`0x25000`
SizeOfRawData	`0x200`
PointerToRawData	`0x21600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.72418`

.rsrc

MD5	`2d22e421adfc8228f1491d43140ec4d8`
SHA1	`8f1253df4a17329ed6108f35a9e982513ace2726`
SHA256	`26f4f46e35114b076744a9d7eee464f022513c707dbebfdc7823357f1c6d0ba7`
SHA3	`0f57e0042e76e18b05b073f14566e66623d3e7ef50fc52054d495efd048b3f9a`
VirtualSize	`0x1e8`
VirtualAddress	`0x26000`
SizeOfRawData	`0x200`
PointerToRawData	`0x21800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.76813`

.reloc

MD5	`3afa779098bdc71b5defe6da9b8a9c57`
SHA1	`50377f73ec6e7ba0bbbe4676f1ab2e364b0e063d`
SHA256	`0e635d45236dbad42b02dc6a6fbc87050ded4547dda3225244089929b28c9d50`
SHA3	`b95bbab5b6807a09188d8ab6fa6cda64de4ba2cac794bf245cb02c36a156a80f`
VirtualSize	`0x65c`
VirtualAddress	`0x27000`
SizeOfRawData	`0x800`
PointerToRawData	`0x21a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.87369`

Imports

KERNEL32.dll	`GetLastError` `CreateFileW` `FindClose` `GetCurrentProcess` `FindNextFileW` `GetTickCount` `GetModuleHandleW` `GetProcAddress` `LoadLibraryW` `CloseHandle` `Process32FirstW` `Process32NextW` `CreateToolhelp32Snapshot` `OpenProcess` `WriteConsoleW` `TerminateProcess` `HeapReAlloc` `HeapSize` `SetFilePointerEx` `GetFileSizeEx` `GetConsoleMode` `GetConsoleOutputCP` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `RaiseException` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `HeapAlloc` `HeapFree` `CompareStringW` `LCMapStringW` `GetFileType` `WaitForSingleObject` `GetExitCodeProcess` `CreateProcessW` `GetFileAttributesExW` `GetStringTypeW` `FindFirstFileExW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `MultiByteToWideChar` `WideCharToMultiByte` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetStdHandle` `GetProcessHeap` `FlushFileBuffers`
ADVAPI32.dll	`LookupPrivilegeValueW` `AdjustTokenPrivileges` `RegSetValueExW` `OpenProcessToken` `RegQueryValueExW` `RegCloseKey` `RegEnumKeyExW` `RegOpenKeyExW`
SHLWAPI.dll	`SHDeleteValueW`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Aug-20 16:07:50
Version	`0.0`
SizeofData	`82`
AddressOfRawData	`0x1ee80`
PointerToRawData	`0x1d880`
Referenced File	C:\Users\nicov\OneDrive\Desktop\User\x64\Release\User.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2021-Aug-20 16:07:50
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x1eed4`
PointerToRawData	`0x1d8d4`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Aug-20 16:07:50
Version	`0.0`
SizeofData	`696`
AddressOfRawData	`0x1eee8`
PointerToRawData	`0x1d8e8`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2021-Aug-20 16:07:50
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140021008`

RICH Header

XOR Key	`0xa21ddd89`
Unmarked objects	`0`
C objects (27412)	`11`
ASM objects (27412)	`5`
C++ objects (27412)	`148`
C++ objects (VS 2015/2017/2019 runtime 29913)	`37`
C objects (VS 2015/2017/2019 runtime 29913)	`17`
ASM objects (VS 2015/2017/2019 runtime 29913)	`9`
Imports (27412)	`11`
Total imports	`119`
C objects (LTCG) (VS2019 Update 9 (16.9.5) compiler 29915)	`2`
Resource objects (VS2019 Update 9 (16.9.5) compiler 29915)	`1`
Linker (VS2019 Update 9 (16.9.5) compiler 29915)	`1`

6afb0d25685e402770d8cf06067531a1

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors