Manalyze report for 6b83fa4b03fb780b0e808b3dd5314fbfd55ea50389fe0343302ba2f0f0d146b1

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Nov-22 16:13:03
Detected languages	English - United States

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: \xf0\x9f\xa7\xa06=!7` Unusual section name found: \xf0\x9f\xa7\xa0pi+` `Unusual section name found: \xf0\x9f\xa7\xa0jD&m` `Unusual section name found: \xf0\x9f\xa7\xa018^&` `Unusual section name found: \xf0\x9f\xa7\xa0V4Or` `Unusual section name found: \xf0\x9f\xa7\xa0\1@/` `Unusual section name found: \xf0\x9f\xa7\xa0^:+A` `Unusual section name found: \xf0\x9f\xa7\xa0?Ig(` `Unusual section name found: \xf0\x9f\xa7\xa0ZlEb`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: NtQuerySystemInformation` `Can access the registry: RegEnumKeyExW` `Uses Microsoft's cryptographic API: CryptAcquireCertificatePrivateKey` `Leverages the raw socket API to access the Internet: WSAIoctl`
Malicious	VirusTotal score: 42/72 (Scanned on 2025-05-08 23:19:16)	`ALYac: QD:Trojan.GenericKDQ.F89E8028DF` `APEX: Malicious` `AVG: Win64:MalwareX-gen [Misc]` `Alibaba: Packed:Win64/VMProtect.fadf7beb` `Antiy-AVL: RiskWare[Packed]/Win32.VMProtect.a` `Arcabit: QD:Trojan.GenericQ.F89E8028DF` `Avast: Win64:MalwareX-gen [Misc]` `BitDefender: QD:Trojan.GenericKDQ.F89E8028DF` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.1746347246293c51` `CTX: exe.trojan.vmprotect` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/Packed.VMProtect.AA suspicious` `Elastic: malicious (high confidence)` `Emsisoft: QD:Trojan.GenericKDQ.F89E8028DF (B)` `Fortinet: Riskware/Application` `GData: QD:Trojan.GenericKDQ.F89E8028DF` `Google: Detected` `Gridinsoft: Trojan.Heur!.02212203` `Ikarus: Trojan.Win64.Vmprotect` `K7AntiVirus: Trojan ( 005a7c0f1 )` `K7GW: Trojan ( 005a7c0f1 )` `Lionic: Trojan.Win32.GenericKDQ.4!c` `Malwarebytes: Trojan.MalPack` `McAfee: Artemis!45AEA7DAF40D` `McAfeeD: Real Protect-LS!45AEA7DAF40D` `MicroWorld-eScan: QD:Trojan.GenericKDQ.F89E8028DF` `Microsoft: PUA:Win32/Packunwan` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: Artemis` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.high.ml.score` `TrendMicro-HouseCall: TROJ_GEN.R002H09LQ24` `VIPRE: QD:Trojan.GenericKDQ.F89E8028DF` `Varist: W64/ABTrojan.HCGO-5346` `Xcitium: ApplicUnwnt@#y8ho6lzj27f6` `alibabacloud: Trojan:Win/Packunwan.Gen`

Hashes

MD5	`45aea7daf40dccd745cf145198293c51`
SHA1	`2f60e2956284937d7b36ff7c928ea123accb391c`
SHA256	`6b83fa4b03fb780b0e808b3dd5314fbfd55ea50389fe0343302ba2f0f0d146b1`
SHA3	`2ec1f14bbb6bf78c6b6b6e38ebee6efc3e3ccd489b6ab140924ed567b4bf26f2`
SSDeep	`786432:11YKIYIShjIYpLbEWjvxlvidYQ3cZENQ9aEEt:TYbY/IYpTplK+Q3vYaEEt`
Imports Hash	`bf89f838062bd62783e865cd0624f1e0`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2024-Nov-22 16:13:03
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x27c200`
SizeOfInitializedData	`0x216a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000018B2F04 (Section: \xf0\x9f\xa7\xa0?Ig()`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x3512000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

\xf0\x9f\xa7\xa06=!7

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x27c12d`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0pi+`

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1162ac`
VirtualAddress	`0x27e000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0jD&m

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xd3474`
VirtualAddress	`0x395000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

\xf0\x9f\xa7\xa018^&

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1b7d4`
VirtualAddress	`0x469000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0V4Or

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x2408`
VirtualAddress	`0x485000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0\1@/

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x141dce1`
VirtualAddress	`0x488000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0^:+A

MD5	`618a615120877c397b813e29882391df`
SHA1	`bea5483041e6a61b1e57005ecb5ffe655b7dcdfb`
SHA256	`ad9a2284f20416a03af259f7dabbb39b8933208848f203777e2d31ce84d8a4a0`
SHA3	`d088954445057003aeaf0a44c36dcfbf7962cd945c77b1da9fcebaad5865359a`
VirtualSize	`0x1da0`
VirtualAddress	`0x18a6000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.196432`

\xf0\x9f\xa7\xa0?Ig(

MD5	`d35d1af75d7a70ca8d6986de682d23d1`
SHA1	`2cb299aca76593617455f433321774bf8c157bc7`
SHA256	`75408f248a21ffad20554caa468836ead04746b4f80762245b178d3dca4e93d4`
SHA3	`2f3582263109102cdb2cd6d254bab3d220ebd798a432f4b27707984dd6779af2`
VirtualSize	`0x1c682c4`
VirtualAddress	`0x18a8000`
SizeOfRawData	`0x1c68400`
PointerToRawData	`0x2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.8743`

\xf0\x9f\xa7\xa0ZlEb

MD5	`81fabdeae1da191013fe216ee4d7bc29`
SHA1	`2444d3deb6c6e2f06df64c79b11eaceb6f402c2d`
SHA256	`f90a5fd9664d96a723c8e076a634bb5a3f0bf0353504a892598d44a8dd928c0d`
SHA3	`69e19217848948854b971edb8b566fadc1094971845f5d81948a439585434b65`
VirtualSize	`0x2e1`
VirtualAddress	`0x3511000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1c6a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.3111`

Imports

KERNEL32.dll	`GetVersionExW`
USER32.dll	`GetScrollRange`
GDI32.dll	`SetTextAlign`
ADVAPI32.dll	`RegEnumKeyExW`
SHELL32.dll	`SHGetDesktopFolder`
ole32.dll	`RevokeDragDrop`
OLEAUT32.dll	`SysAllocString`
ntdll.dll	`NtQuerySystemInformation`
SHLWAPI.dll	`PathRemoveFileSpecW`
WS2_32.dll	`WSAIoctl`
CRYPT32.dll	`CryptAcquireCertificatePrivateKey`
Secur32.dll	`InitSecurityInterfaceW`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
D3DCOMPILER_47.dll	`D3DCompile`
IMM32.dll	`ImmGetOpenStatus`
MSIMG32.dll	`AlphaBlend`
UxTheme.dll	`DrawThemeParentBackground`
WINMM.dll	`PlaySoundW`
gdiplus.dll	`GdiplusStartup`
DNSAPI.dll	`DnsNameCompare_W`
RPCRT4.dll	`UuidToStringW`
OLEACC.dll	`CreateStdAccessibleObject`
WINSPOOL.DRV	`ClosePrinter`
KERNEL32.dll (#2)	`GetVersionExW`
KERNEL32.dll (#3)	`GetVersionExW`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x289`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.05508`
MD5	`d28dfc8159f57a557fd3ac5ff8010b47`
SHA1	`269e00eb41eb2a102fdc24763539f758c4370a5f`
SHA256	`c687fd0335259d5149882376f6e7eb501aa1ccf5b4057c44e07760e1b1b799b9`
SHA3	`68f173ef697908b29e1cfeb47c9769a334914e4047c34fd9529fd2854aaeacf2`

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140395280`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section \xf0\x9f\xa7\xa06=!7 has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0pi+` has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0jD&m has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa018^& has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0V4Or has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0\1@/ has a size of 0!

Leave a comment

No comments yet.