Manalyze report for 77a561a4187fd439ebefdcd7c0a93e5ea7e6fc32862d617a11a65fc620b13e96

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-May-10 20:00:53
TLS Callbacks	1 callback(s) detected.
Debug artifacts	rustynnel.pdb

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe exploit` Contains domain names: 20ca2.playfabapi.com GoDaddy.com account.microsoft.com api.github.com auth.xboxlive.com authorization.franchise.minecraft-services.net b980a380.minecraft.playfabapi.com device.auth.xboxlive.com franchise.minecraft-services.net github.com http://auth.xboxlive.comProofOfPossession https://20ca2.playfabapi.com https://20ca2.playfabapi.com/Client/LoginWithXbox https://account.microsoft.com https://account.microsoft.com/family/ https://api.github.com https://api.github.com/repos/cmgcpf/rustynnel/releases/latest https://authorization.franchise.minecraft-services.net https://b980a380.minecraft.playfabapi.com https://b980a380.minecraft.playfabapi.com/raknetraknet https://device.auth.xboxlive.com https://device.auth.xboxlive.com/device/authenticate https://docs.rs https://github.com https://login.live.com https://login.live.com/login.srf https://login.live.com/oauth20_connect.srfresponse_type https://login.live.com/oauth20_token.srfclient_idscopeservice https://multiplayer.minecraft.net https://multiplayer.minecraft.net/ https://multiplayer.minecraft.net/authenticationMCPE/AndroidClient-Version https://multiplayer.minecraft.net/chainextraDatahttps https://signup.live.com https://signup.live.com/signupYour https://sisu.xboxlive.com https://sisu.xboxlive.com/authorizeContent-Typeapplication/jsonx-xbl-contract-version1SignatureDatex-err login.live.com microsoft.com minecraft-services.net minecraft.net minecraft.playfabapi.com multiplayer.minecraft.net openssl.org playfabapi.com services.net signup.live.com sisu.xboxlive.com user.auth.xboxlive.com xboxlive.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to RC5 or RC6`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegCreateKeyTransactedW RegCreateKeyExW RegCloseKey RegQueryValueExW RegOpenKeyExW RegOpenKeyTransactedW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: NtWriteFile NtCancelIoFileEx NtOpenFile NtReadFile NtCreateNamedPipeFile NtDeviceIoControlFile NtCreateFile` `Leverages the raw socket API to access the Internet: connect ioctlsocket WSASend recv recvfrom getsockname getpeername WSAGetLastError sendto WSASocketW bind shutdown setsockopt WSAIoctl closesocket getaddrinfo getsockopt socket WSAStartup freeaddrinfo send WSACleanup` `Interacts with the certificate store: CertOpenStore CertAddCertificateContextToStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`5b01932ec5d9218574f4c8de072e03aa`
SHA1	`86ffa6cff5ab092c74918eec8d90eb5673358563`
SHA256	`77a561a4187fd439ebefdcd7c0a93e5ea7e6fc32862d617a11a65fc620b13e96`
SHA3	`66c59ac1338b70b69eba71f3d298053419b365b4b3c1b85b1729ebc4b023ee94`
SSDeep	`98304:cgsYJKkWhKcdDmqBz0xUV5vl/erZk+tXGp:Js2bcdLEKNgriEX`
Imports Hash	`22d4fdea53ee2fcca88983178b5bb83f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2026-May-10 20:00:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x5af000`
SizeOfInitializedData	`0x2cc400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000591DD0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x87d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`6c745c9bc58619fe04f3ebf95231b543`
SHA1	`c4216c838cf2d65c2098f0e679ec60d4912630e6`
SHA256	`16ce91fca1e77ad1f51e88424b40cd98e6cd4d9da5c0db75d91cd56bd68de0d2`
SHA3	`3feadf7d1b058e406f26e5810e118dbd3820724f5ecbf6c47317c918f9dee6a7`
VirtualSize	`0x5aee99`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5af000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.31934`

.rdata

MD5	`938b57d082388f1de77e0ab287a6622e`
SHA1	`04711b2f95149c0bfcb1a9259c062cdc6b85fb70`
SHA256	`fb12a8c91d5f1b5f51535f32c5a7d539fb39d0993013d84078459d85f445584d`
SHA3	`9a293c29880a7b98c02706187890b8ef30caa6e9e7f72a916460054c45a3109f`
VirtualSize	`0x280b56`
VirtualAddress	`0x5b0000`
SizeOfRawData	`0x280c00`
PointerToRawData	`0x5af400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.16457`

.data

MD5	`b2e9856f1198a8d62623f1fb39c53492`
SHA1	`4a0299282e047e6e5a04dd82b6148a2f77a647bc`
SHA256	`0650e67a9b330b5c05e95b8d112b6eb09cff742ba096b77b5e5a7ca2ce4446ec`
SHA3	`b72abe57d5fa75611ab7e342856abdaf9ae5a8536b2b144a820e59e5e9aa6058`
VirtualSize	`0x3e68`
VirtualAddress	`0x831000`
SizeOfRawData	`0x3800`
PointerToRawData	`0x830000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.14885`

.pdata

MD5	`75b0213835697ca80b7b00cc22246a4b`
SHA1	`6cf7180111c822f8db97fba1bc5f4a2a403112e8`
SHA256	`f401ef9dda7af134641debc4fbd01c38d0c8a186243b3d02d53296cb91ee28fc`
SHA3	`00472013a440259f469792e8fb0134d3b25e1cbd15542f9546c130ec3f34fa72`
VirtualSize	`0x40c44`
VirtualAddress	`0x835000`
SizeOfRawData	`0x40e00`
PointerToRawData	`0x833800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.48385`

.reloc

MD5	`a1b4e15cc5c074082072a1def3abb8af`
SHA1	`5912153c3fe1dcd4d8658c2caf52a34d11e7f206`
SHA256	`51801ba798a89062d176d7d571eff06b1879ca9aa0c10e9ccf61a00e9f933a02`
SHA3	`ade3e1894822538797ef6931b885366362638799b5402c118cb5d790b8ac4c88`
VirtualSize	`0x68cc`
VirtualAddress	`0x876000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x874600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.45457`

Imports

kernel32.dll	`DuplicateHandle` `GetCurrentProcess` `WaitForSingleObject` `SetNamedPipeHandleState` `CreateFileW` `GetNumberOfConsoleInputEvents` `SetConsoleMode` `ReadConsoleInputW` `GetFileInformationByHandleEx` `SetHandleInformation` `GetConsoleMode` `SetConsoleCursorInfo` `GetConsoleCursorInfo` `SetConsoleCursorPosition` `FillConsoleOutputAttribute` `FillConsoleOutputCharacterA` `GetConsoleScreenBufferInfo` `GetStdHandle` `MoveFileExW` `PostQueuedCompletionStatus` `ReadFile` `GetOverlappedResult` `WriteFile` `CreateIoCompletionPort` `CancelIoEx` `GetQueuedCompletionStatusEx` `GetProcAddress` `GetModuleHandleW` `SetFileCompletionNotificationModes` `FormatMessageW` `GetLastError` `IsProcessorFeaturePresent` `GetSystemTimeAsFileTime` `Sleep` `GetModuleHandleA` `UnhandledExceptionFilter` `RtlVirtualUnwind` `HeapAlloc` `SetUnhandledExceptionFilter` `CompareStringOrdinal` `FreeEnvironmentStringsW` `InitializeSListHead` `WriteFileEx` `SleepEx` `SetLastError` `GetFullPathNameW` `HeapFree` `GetCurrentThreadId` `SetFileInformationByHandle` `SetFileTime` `HeapReAlloc` `QueryPerformanceFrequency` `QueryPerformanceCounter` `CreateThread` `GetProcessHeap` `GetCurrentProcessId` `ReadFileEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `GetSystemTimePreciseAsFileTime` `GetFileInformationByHandle` `GetEnvironmentStringsW` `GetSystemDirectoryW` `GetWindowsDirectoryW` `CreateProcessW` `TerminateProcess` `AddVectoredExceptionHandler` `SetThreadStackGuarantee` `GetCurrentThread` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `CloseHandle` `lstrlenW` `FindFirstFileExW` `FindClose` `ExitProcess` `GetSystemInfo` `SwitchToThread` `WideCharToMultiByte` `WaitForSingleObjectEx` `LoadLibraryA` `CreateMutexA` `ReleaseMutex` `GetFinalPathNameByHandleW` `DeleteFileW` `GetModuleFileNameW` `MultiByteToWideChar` `WriteConsoleW` `GetConsoleOutputCP` `CreateWaitableTimerExW` `SetWaitableTimer` `GetFileAttributesW` `IsDebuggerPresent`
advapi32.dll	`RegCreateKeyTransactedW` `SystemFunction036` `RegCreateKeyExW` `RegCloseKey` `RegQueryValueExW` `RegOpenKeyExW` `RegOpenKeyTransactedW`
bcryptprimitives.dll	`ProcessPrng`
api-ms-win-core-synch-l1-2-0.dll	`WakeByAddressSingle` `WaitOnAddress` `WakeByAddressAll`
ws2_32.dll	`connect` `ioctlsocket` `WSASend` `recv` `recvfrom` `getsockname` `getpeername` `WSAGetLastError` `sendto` `WSASocketW` `bind` `shutdown` `setsockopt` `WSAIoctl` `closesocket` `getaddrinfo` `getsockopt` `socket` `WSAStartup` `freeaddrinfo` `send` `WSACleanup`
secur32.dll	`EncryptMessage` `AcceptSecurityContext` `InitializeSecurityContextW` `FreeContextBuffer` `ApplyControlToken` `FreeCredentialsHandle` `DecryptMessage` `QueryContextAttributesW` `DeleteSecurityContext` `AcquireCredentialsHandleA`
crypt32.dll	`CertOpenStore` `CertAddCertificateContextToStore` `CertDuplicateCertificateContext` `CertCloseStore` `CertEnumCertificatesInStore` `CertDuplicateCertificateChain` `CertFreeCertificateChain` `CertFreeCertificateContext` `CertGetCertificateChain` `CertVerifyCertificateChainPolicy` `CertDuplicateStore`
ntdll.dll	`NtWriteFile` `NtCancelIoFileEx` `NtOpenFile` `NtReadFile` `RtlNtStatusToDosError` `NtCreateNamedPipeFile` `NtDeviceIoControlFile` `NtCreateFile`
bcrypt.dll	`BCryptGenRandom`
VCRUNTIME140.dll	`__CxxFrameHandler3` `__C_specific_handler` `__current_exception_context` `_CxxThrowException` `memset` `memcmp` `memmove` `memcpy` `__current_exception`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `pow` `fmod` `ceil`
api-ms-win-crt-string-l1-1-0.dll	`strlen`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `malloc` `free` `calloc`
api-ms-win-crt-runtime-l1-1-0.dll	`_set_app_type` `_configure_narrow_argv` `_seh_filter_exe` `_initialize_onexit_table` `_wassert` `_initialize_narrow_environment` `_get_initial_narrow_environment` `_crt_atexit` `_register_onexit_function` `_initterm_e` `exit` `_exit` `terminate` `__p___argc` `__p___argv` `_cexit` `_c_exit` `_register_thread_local_exe_atexit_callback` `_initterm`
api-ms-win-crt-stdio-l1-1-0.dll	`_set_fmode` `__p__commode`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-May-10 20:00:53
Version	`0.0`
SizeofData	`38`
AddressOfRawData	`0x74f808`
PointerToRawData	`0x74ec08`
Referenced File	rustynnel.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2026-May-10 20:00:53
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x74f830`
PointerToRawData	`0x74ec30`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-May-10 20:00:53
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x74f844`
PointerToRawData	`0x74ec44`

TLS Callbacks

StartAddressOfRawData	`0x14074fb98`
EndAddressOfRawData	`0x14074fe28`
AddressOfIndex	`0x140834860`
AddressOfCallbacks	`0x1405b0718`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x0000000140503340`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140834640`

RICH Header

XOR Key	`0x70bf40fc`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`12`
Imports (35207)	`2`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`24`
Total imports	`295`
C objects (35219)	`96`
Unmarked objects (#2)	`612`
Linker (35219)	`1`

Errors

Leave a comment

No comments yet.