Manalyze report for 6e34968c363d0f48a166d938ad8f48e25bc6e48183de459d98e5d98d7120732c

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Aug-01 00:33:52
Detected languages	English - United States
CompanyName	CheshireCat
FileDescription	Action! Loader
FileVersion	`4.0.0.0`
LegalCopyright	Â© CheshireCat
ProductName	Action! Loader
ProductVersion	`4.0.0.0`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Can access the registry: RegCreateKeyExW RegOpenKeyExW RegEnumValueW RegDeleteKeyW RegDeleteValueW RegCloseKey RegSetValueExW RegQueryValueExW RegEnumKeyW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Changes object ACLs: SetFileSecurityW` `Can shut the system down or lock the screen: ExitWindowsEx`
Malicious	The file contains overlay data.	`11329 bytes of data starting at offset 0x1d200.` `The file contains a 7-Zip compressed file after the PE data.`
Safe	VirusTotal score: 0/69 (Scanned on 2026-06-02 18:43:28)	`All the AVs think this file is safe.`

Hashes

MD5	`021d09b33e605c7098bb61800b5e7228`
SHA1	`1745c11802217bedcfe944eb301a031246d80e93`
SHA256	`6e34968c363d0f48a166d938ad8f48e25bc6e48183de459d98e5d98d7120732c`
SHA3	`0476fe7a612b768abbcfdbccfa27cd4ffbca94359486465751466b7ead4ed489`
SSDeep	`3072:gs77w1OlWUt1uFYQMMMMMMMMMMMM/OYteFNnWoS:5mOPMMMMMMMMMMMMMBteFJWoS`
Imports Hash	`b34f154ec913d2d2c435cbd644e91687`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Aug-01 00:33:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6400`
SizeOfInitializedData	`0x22a00`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x0000333D (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x52000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b2dd5d917f94d75528a11411abe5681c`
SHA1	`dca5cbb0cc1595681bdd02f759c2717a25e2e71c`
SHA256	`5d5d7b8f798de66f756656a03ffb44a5bec3fd7cbad255ab9d1b1cec8ab3cce6`
SHA3	`f0c2bff38583d737605d0ec70c17a29756201ee99acf7cdfbcf388684ba32400`
VirtualSize	`0x626d`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.42313`

.rdata

MD5	`2914bac53cd4485c9822093463e4eea6`
SHA1	`613e9f1f18c58313b0e05bb3681015060648e0f2`
SHA256	`6492a4a1379c33d7e8cba30c286b60df2b43e95e426c02ad5549e93c815cb4f3`
SHA3	`b5f69e6a137adb1b259f22aeb61a84d23d891dde99c1b57d64cbc8c0b264da01`
VirtualSize	`0x138e`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.14645`

.data

MD5	`c46c24ddc9bf88a6774bd207204164b9`
SHA1	`e0f49b481b8c596bd7c1903db7aa6cb58f7e9315`
SHA256	`fc51a5d377820a4afd1cdc2f6a9628f14b6beb1e3c63466a07a031dd55081789`
SHA3	`3d8029516fab6a3b8a760596ed9d9955562116dc457a630e71fff14a3c77e4e7`
VirtualSize	`0x20318`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.90653`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x12000`
VirtualAddress	`0x2b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`85dae054ae502a4351514223531aa91b`
SHA1	`0da94fb878334de12229f21b734775026b3df760`
SHA256	`430e495b9f8f73481290723edad8a209be4bfed950eeaad1478e4b9bf6f3d3d3`
SHA3	`040f656f6922f0166e4ec88be7eec8563ad80f788f6dfe6477334cb600e79b09`
VirtualSize	`0x14eb0`
VirtualAddress	`0x3d000`
SizeOfRawData	`0x15000`
PointerToRawData	`0x8200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.10178`

Imports

KERNEL32.dll	`SetEnvironmentVariableW` `SetFileAttributesW` `Sleep` `GetTickCount` `GetFileSize` `GetModuleFileNameW` `GetCurrentProcess` `CopyFileW` `SetCurrentDirectoryW` `GetFileAttributesW` `GetWindowsDirectoryW` `GetTempPathW` `GetCommandLineW` `GetVersion` `SetErrorMode` `lstrlenW` `lstrcpynW` `GetDiskFreeSpaceW` `ExitProcess` `GetShortPathNameW` `CreateThread` `GetLastError` `CreateDirectoryW` `CreateProcessW` `RemoveDirectoryW` `lstrcmpiA` `CreateFileW` `GetTempFileNameW` `WriteFile` `lstrcpyA` `MoveFileExW` `lstrcatW` `GetSystemDirectoryW` `GetProcAddress` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `lstrcmpiW` `MoveFileW` `GetFullPathNameW` `SetFileTime` `SearchPathW` `CompareFileTime` `lstrcmpW` `CloseHandle` `ExpandEnvironmentStringsW` `GlobalFree` `GlobalLock` `GlobalUnlock` `GlobalAlloc` `FindFirstFileW` `FindNextFileW` `DeleteFileW` `SetFilePointer` `ReadFile` `FindClose` `lstrlenA` `MulDiv` `MultiByteToWideChar` `WideCharToMultiByte` `GetPrivateProfileStringW` `WritePrivateProfileStringW` `FreeLibrary` `LoadLibraryExW` `GetModuleHandleW`
USER32.dll	`GetSystemMenu` `SetClassLongW` `EnableMenuItem` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongW` `SetCursor` `LoadCursorW` `CheckDlgButton` `GetMessagePos` `LoadBitmapW` `CallWindowProcW` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `OpenClipboard` `ScreenToClient` `GetWindowRect` `GetDlgItem` `GetSystemMetrics` `SetDlgItemTextW` `GetDlgItemTextW` `MessageBoxIndirectW` `CharPrevW` `CharNextA` `wsprintfA` `DispatchMessageW` `PeekMessageW` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `GetClientRect` `FillRect` `DrawTextW` `EndDialog` `RegisterClassW` `SystemParametersInfoW` `CreateWindowExW` `GetClassInfoW` `DialogBoxParamW` `CharNextW` `ExitWindowsEx` `DestroyWindow` `GetDC` `SetTimer` `SetWindowTextW` `LoadImageW` `SetForegroundWindow` `ShowWindow` `IsWindow` `SetWindowLongW` `FindWindowExW` `TrackPopupMenu` `AppendMenuW` `CreatePopupMenu` `EndPaint` `CreateDialogParamW` `SendMessageTimeoutW` `wsprintfW` `PostQuitMessage`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectW` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `ShellExecuteExW` `SHGetPathFromIDListW` `SHBrowseForFolderW` `SHGetFileInfoW` `SHFileOperationW`
ADVAPI32.dll	`AdjustTokenPrivileges` `RegCreateKeyExW` `RegOpenKeyExW` `SetFileSecurityW` `OpenProcessToken` `LookupPrivilegeValueW` `RegEnumValueW` `RegDeleteKeyW` `RegDeleteValueW` `RegCloseKey` `RegSetValueExW` `RegQueryValueExW` `RegEnumKeyW`
COMCTL32.dll	`ImageList_Create` `ImageList_AddMasked` `ImageList_Destroy` `#17`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.75563`
MD5	`ad0e6d82ed6251e157d627d0ffde01f0`
SHA1	`ffdfda19c5deeeace9c055729523e6df27af574d`
SHA256	`94c3814a23bc5ebcb12ef1c879c4f02aba2550936a507ac0c62ab6d9c4c7f62d`
SHA3	`14fe5a2f32269760cd11af9660bbb6cdb29dacdf563d1dfd5cf8dae181a8c32e`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.7686`
MD5	`2ec1ac4266679be19d4cb3a746ce00e6`
SHA1	`58014c15a2cf082c6927439989a394bd9f25676c`
SHA256	`041598b500e06d9c170759623cc92ca906b6692f9c7f51f029adb4d022c63c1a`
SHA3	`3142bee6c6a9d3e0be18963e53a4273c9fc370ded460c1d493d9698e5370a499`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.07292`
MD5	`482d3c415a147a8cececfc86a1de8cf4`
SHA1	`cd9dc1252a92f8bcbb8dbcc4b3931b60c42fd8db`
SHA256	`1d9e3cb694877c90fe26ab96719133f0d9c334f6b66238c3b9966faf09b1a0cd`
SHA3	`b2488f33af3a25344c4a3ac26f4e20c1efefab73feb6871987cd522913c2257e`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.00389`
MD5	`8b5df7fb31f513885b2f7b60fd77c741`
SHA1	`8db023529b534e256aba9b61e62d4a708a5a9a2c`
SHA256	`a5adfe14abd7c47d846c487f3cc5279c6d8879f884cd58439e0201bdee11789b`
SHA3	`91c243535139ca8ced13fb0e9b2cf0ffe35c7f3c0af89e1e0dfa1c52324a70d5`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.65982`
Detected Filetype	Icon file
MD5	`6fa39a5f6db3ad3489ae7c80de34d0af`
SHA1	`461e0c84813d6c2f9e33b08cb928a69d5f3e97cf`
SHA256	`d58d7d4bbc58f023d4bb203dd967e15f6681460612b02ad935e7ff3979dc6102`
SHA3	`5b2e3150d50439424a0da2167805f6606a0d1cabed9ce800c5e259a72a21d091`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x240`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.20816`
MD5	`b93c7a0c914fb55736ebfb2d0c88d347`
SHA1	`7a8ff65745bf9b1493ea026f56461d1c3a9c88b4`
SHA256	`b8c0a5a294d07f3d46b02132bafacdc9a95359c94044daa642779702b1bcca04`
SHA3	`5b0b4b5a18e0910cc3c41d5a43879346c59fbeb9883b0711b57e95626c44c48f`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x466`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.31497`
MD5	`38e3b1c7dcf7f10e91aae89c881bbe2c`
SHA1	`ed1b491fd4d99973abe7ef7e3dd02ad1a2023ca0`
SHA256	`c238afcec2bce1555d92bbd9348d66f8ca17e0e6997f1bf9451b057e0e0e2a94`
SHA3	`6b487ae069a5c5ca50303f7999af35c32cc4210717e8f928e2e55987a6fea39d`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	4.0.0.0
ProductVersion	4.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	CheshireCat
FileDescription	Action! Loader
FileVersion (#2)	4.0.0.0
LegalCopyright	Â© CheshireCat
ProductName	Action! Loader
ProductVersion (#2)	4.0.0.0

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd26650e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`165`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!

Leave a comment

No comments yet.