Manalyze report for 6d7cd009b59c830890e0f03d5af1fcc5

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Nov-16 20:58:14

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe`
Malicious	The PE contains functions mostly used by malware.	`Code injection capabilities (process hollowing): ResumeThread SetThreadContext WriteProcessMemory` `Possibly launches other programs: CreateProcessA` `Manipulates other processes: WriteProcessMemory`
Malicious	VirusTotal score: 53/69 (Scanned on 2023-02-06 18:57:22)	`ALYac: Trojan.Meterpreter.Extension.I` `APEX: Malicious` `AVG: Win64:ShellCode-B [Trj]` `Acronis: suspicious` `AhnLab-V3: Trojan/Win32.RL_Generic.R366185` `Alibaba: Trojan:Win64/Meterpreter.874b1092` `Antiy-AVL: Trojan/Win64.Generic` `Arcabit: Trojan.Meterpreter.Extension.I` `Avast: Win64:ShellCode-B [Trj]` `Avira: HEUR/AGEN.1245274` `BitDefender: Trojan.Meterpreter.Extension.I` `CAT-QuickHeal: Trojan.GenericRI.S21254274` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `Cyren: W64/Meterpreter.E.gen!Eldorado` `DrWeb: Trojan.Inject4.49858` `ESET-NOD32: a variant of Win64/Injector.EO` `Elastic: Windows.Trojan.Metasploit` `Emsisoft: Trojan.Meterpreter.Extension.I (B)` `F-Secure: Heuristic.HEUR/AGEN.1245274` `FireEye: Generic.mg.6d7cd009b59c8308` `Fortinet: W64/Injector.EO!tr` `GData: Trojan.Meterpreter.Extension.I` `Google: Detected` `Ikarus: Trojan.Win64.Rozena` `Jiangmin: Trojan.Generic.gocrt` `K7AntiVirus: Trojan ( 0058006f1 )` `K7GW: Trojan ( 0058006f1 )` `Kaspersky: HEUR:Trojan.Win32.Generic` `Lionic: Trojan.Win32.Generic.4!c` `MAX: malware (ai score=86)` `Malwarebytes: Rozena.Trojan.Shell.DDS` `MaxSecure: Trojan.Malware.7164915.susgen` `McAfee: Artemis!6D7CD009B59C` `McAfee-GW-Edition: BehavesLike.Win64.Injector.xz` `MicroWorld-eScan: Trojan.Meterpreter.Extension.I` `Microsoft: Trojan:Win64/Meterpreter.B` `Paloalto: generic.ml` `Panda: Trj/CI.A` `Rising: Trojan.Injector!8.C4 (CLOUD)` `SUPERAntiSpyware: Trojan.Agent/Gen-Injector` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Sophos: ATK/Reflect-M` `Symantec: Trojan Horse` `Tencent: Trojan.Win64.Meterpreter.wa` `TrendMicro: TROJ_GEN.R002C0DEJ22` `TrendMicro-HouseCall: TROJ_GEN.R002C0DEJ22` `VBA32: Trojan.Win64.Meterpreter` `VIPRE: Trojan.Meterpreter.Extension.I` `Yandex: Trojan.Agent!+lEePvwFiAM` `Zillya: Trojan.Generic.Win32.1285592` `ZoneAlarm: HEUR:Trojan.Win32.Generic`

Hashes

MD5	`6d7cd009b59c830890e0f03d5af1fcc5`
SHA1	`cb5497530f5309a43b1bf1bf2b3ba511e0b41a13`
SHA256	`0b6fca5ac92c0ac0c463c23e5a31c5248c136879809f6e9ffa1a7fb4a7e5ee37`
SHA3	`3d66ab5c7bc00f855af376524c1757b002b140de5de3d965eac9a3e4fef04e14`
SSDeep	`48:i7uD6XmotviCNIA734mkhthkYkJggydFeqhNYajSD9C2S:4WIgA73xJgXdcqUB5`
Imports Hash	`57d6e7112c8e716cfe2eb0ff9f36763c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`4`
TimeDateStamp	2020-Nov-16 20:58:14
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x400`
SizeOfInitializedData	`0x1a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000011B0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x6000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`a5b4808e3ad9113363fbbd9578aa1266`
SHA1	`8868c4f31df2165a0ced429a4b0cbb6f2a40d276`
SHA256	`95fc9a495aab1e51b6e68d847cc0bd7e824ee97e6923b9a531d3bf77c5a51d51`
SHA3	`6d6a351217220dcbe24299a1b019aa63eff337d038a2ab51a8f19bce4abcc62a`
VirtualSize	`0x327`
VirtualAddress	`0x1000`
SizeOfRawData	`0x400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.26457`

.rdata

MD5	`7fa26a3404f8f191601f01a29edd7310`
SHA1	`ff6f23791ba384a48a437288a58a3fde9a56db87`
SHA256	`ac70945ae0577174f853274fd9ff9239ee3b5aa2951b390248032582346c656f`
SHA3	`a76170a9db88c72e857be569e2f790944e28b163a81f27ef3f46031b6c52027d`
VirtualSize	`0x310`
VirtualAddress	`0x2000`
SizeOfRawData	`0x400`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.30734`

.data

MD5	`b507e7ba25cba4923a13005246b36e3b`
SHA1	`6dfb2b004e3467d46525572f3c50d91096166a5c`
SHA256	`01a48c84ac62be755ab0c459c4b349d63cceedaf21d012e34dd98ed605dde66d`
SHA3	`abe5cb3232a42f239dfb67966e815534fe47c53607be921c8ce99fba509b9171`
VirtualSize	`0x1225`
VirtualAddress	`0x3000`
SizeOfRawData	`0x1400`
PointerToRawData	`0xc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.17219`

.pdata

MD5	`1948f4c4f02cb10e43b8f842ec781ca9`
SHA1	`8048a66f4c92b3149bebbebeca86a1da7eb02e03`
SHA256	`8864638bcab0f73e18c49ad23c7c0c72b98ed1f5e1e2a4bbf76f079e3479b405`
SHA3	`767cad83794ecf5c553e4e7565a775dfdc988526187b76c969cc7f6068eb6817`
VirtualSize	`0x30`
VirtualAddress	`0x5000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.423184`

Imports

KERNEL32.dll	`CloseHandle` `ReleaseSemaphore` `WaitForSingleObject` `CreateEventA` `OpenEventA` `ExitThread` `ResumeThread` `CreateProcessA` `GetThreadContext` `SetThreadContext` `VirtualAllocEx` `WriteProcessMemory` `CreateSemaphoreA`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Nov-16 20:58:14
Version	`0.0`
SizeofData	`212`
AddressOfRawData	`0x208c`
PointerToRawData	`0x88c`

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xb4683911`
Unmarked objects	`0`
Imports (VS2017 v14.15 compiler 26715)	`3`
Total imports	`13`
C objects (VS2019 Update 6 (16.6.1-5) compiler 28806)	`1`
Linker (VS2019 Update 6 (16.6.1-5) compiler 28806)	`1`

6d7cd009b59c830890e0f03d5af1fcc5

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

Imports

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors