Manalyze report for 791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Dec-20 18:29:38
Detected languages	English - United States
CompanyName	Microsoft Corporation
FileDescription	MDMAgent
FileVersion	`10.0.22621.2506 (WinBuild.160101.0800)`
InternalName	MDMAgent
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	MDMAgent
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.22621.2506`

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Malicious	The PE's digital signature is invalid.	`Signer: Akeo Consulting` `Issuer: Sectigo Public Code Signing CA EV R36` `The file was modified after it was signed.`
Malicious	VirusTotal score: 46/72 (Scanned on 2023-12-27 17:39:14)	`Bkav: W64.AIDetectMalware` `Lionic: Trojan.Win32.Agent.Y!c` `MicroWorld-eScan: Gen:Variant.Lazy.397984` `FireEye: Gen:Variant.Lazy.397984` `CAT-QuickHeal: TrojanSpy.Agent` `Skyhigh: Artemis!Trojan` `McAfee: GenericRXAA-FA!D87B402B821F` `Malwarebytes: Malware.AI.4007626012` `Zillya: Trojan.Agent.Script.1752413` `Alibaba: Packed:Win64/PyInstaller.e79e44b7` `Arcabit: Trojan.Lazy.D612A0` `Symantec: ML.Attribute.HighConfidence` `Elastic: malicious (high confidence)` `ESET-NOD32: a variant of Win64/Packed.PyInstaller.L` `Cynet: Malicious (score: 100)` `APEX: Malicious` `Kaspersky: Trojan-Spy.Win32.Agent.dffz` `BitDefender: Gen:Variant.Lazy.397984` `Avast: Win32:Agent-BDOJ [Trj]` `Rising: Spyware.Agent/PYC!1.EA8F (CLASSIC)` `Sophos: Mal/Generic-S` `F-Secure: Trojan.TR/Crypt.FKM.Gen` `VIPRE: Gen:Variant.Lazy.397984` `TrendMicro: TROJ_GEN.R002C0XLM23` `Emsisoft: Gen:Variant.Lazy.397984 (B)` `Ikarus: Trojan-Spy.Python.BlankGrabber` `Jiangmin: TrojanSpy.Agent.afwt` `Avira: TR/Crypt.FKM.Gen` `MAX: malware (ai score=80)` `Antiy-AVL: GrayWare/Win32.Wacapew` `Gridinsoft: Trojan.Win64.Agent.oa!s1` `Microsoft: Trojan:Win32/Sabsik.FL.B!ml` `ZoneAlarm: Trojan-Spy.Win32.Agent.dffz` `GData: Gen:Variant.Lazy.397984` `Google: Detected` `ALYac: Gen:Variant.Lazy.397984` `Cylance: unsafe` `Panda: Trj/Chgt.AD` `TrendMicro-HouseCall: TROJ_GEN.R002C0XLM23` `Tencent: Win32.Trojan.FalseSign.Rqil` `Yandex: TrojanSpy.Agent!N+I33HhwxX0` `SentinelOne: Static AI - Suspicious PE` `Fortinet: W32/PossibleThreat` `AVG: Win32:Agent-BDOJ [Trj]` `DeepInstinct: MALICIOUS` `CrowdStrike: win/malicious_confidence_100% (W)`

Hashes

MD5	`d87b402b821fa842d89283aa8654d9c0`
SHA1	`30c086651e1bcd191163c01efbab55f51ec04691`
SHA256	`791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678`
SHA3	`b6f7dbe51b7dd37001bd45f85385a59cc1cd4298e4f4963a878e4f08163af96b`
SSDeep	`196608:WoeEzryqpLjv+bhqNVoB8Ck5c7GpNlpq41J2jnFHbk9qtlDfJP:EWyKL+9qz88Ck+7q3p91Jin8qfZ`
Imports Hash	`1af6c885af093afc55142c2f1761dbe8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2023-Dec-20 18:29:38
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x29e00`
SizeOfInitializedData	`0x17200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000C1F0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x48000`
SizeOfHeaders	`0x400`
Checksum	`0x8219e0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`62616acf257019688180f494b4eb78d4`
SHA1	`012f637ebf64da68093faf41b0f2c939dc5902af`
SHA256	`7568a0023ac06e947f3977db238017d17e80aa694b2fca2e2177a27a9d9b7c73`
SHA3	`136fb604286631346b13055e41f751ac4ced839cb08e916296bb3889740f75fb`
VirtualSize	`0x29c90`
VirtualAddress	`0x1000`
SizeOfRawData	`0x29e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.4831`

.rdata

MD5	`7aa3d5eab610b40e57242dc83c401270`
SHA1	`1576d28f667a5e53af278c33b075bc53ab7cb0cb`
SHA256	`f9883e5f6cb6e85d63c9231ee2c8050db61976a3b486ce5fcc77131ce0f830e0`
SHA3	`e36b9de8a3802f69844b15ec71713b87eda8a507596df728cc6588d29661f925`
VirtualSize	`0x12bf4`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x12c00`
PointerToRawData	`0x2a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.83507`

.data

MD5	`99d84572872f2ce8d9bdbc2521e1966e`
SHA1	`1745c4ccf67c876d978058025646a6fc708919e0`
SHA256	`38832a73d4f0bee667066837ff09b7b2d61d6a52f95f8ff67f31699d6259cd20`
SHA3	`58fe1fb70b3e9e03cced62aeeb962d64068bf67d1a451d70017c8ebd326cad3a`
VirtualSize	`0x3338`
VirtualAddress	`0x3e000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x3ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82717`

.pdata

MD5	`39f0a7d8241a665fc55289b5f9977819`
SHA1	`9434c071dd5d0d893bb3b1ff7938635f2b8e7b78`
SHA256	`a4522af33f823a5501b7449a4955fb1300d48ad82dedff0be9bc5991bbef8c6a`
SHA3	`5b395d7accf8a4dbdd5dfeffeadb07309e3c735855df1796f0a093c772ff8118`
VirtualSize	`0x22a4`
VirtualAddress	`0x42000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x3dc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.31639`

_RDATA

MD5	`624222957a635749731104f8cdf6f9b7`
SHA1	`d41e40498bc70e400e76e7a3585431f4145e40b9`
SHA256	`4bb815b5aeb6d4a8c6d79f03aca77fd8e5932d67665a11e808b174b714eef724`
SHA3	`bdae1a4bc0c2bd0d06a72a76c9a599ea3afe7dfa004e0b46277675f1ec38068e`
VirtualSize	`0x15c`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x40000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.83327`

.rsrc

MD5	`cd17ad3571acb68f6e691815ac5f5a72`
SHA1	`d8d26a90b546859f7f3389e549320eeb3ab03d8f`
SHA256	`599243061ceb77019d2ca923825e12c6ede6eaf33d8b82dea88dbd9fce7143f7`
SHA3	`1d0342cb214ee9c1f1f70719b4a2eea9a4e69e515612d44241b323cbacbf55c5`
VirtualSize	`0x924`
VirtualAddress	`0x46000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x40200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.14266`

.reloc

MD5	`4138d4447f190c2657ec208ef31be551`
SHA1	`41f776fbf46111f4aac8e7ff1e7fa89541eda087`
SHA256	`6d0446dfad2fe0f8b0220b0031af4c220fbb7e9002fdb1c76bd38c4d17b85aed`
SHA3	`b89616b1b553c7efb9a63061f47fa6c98e5e668e1965a28a42e3c0c42647ddc6`
VirtualSize	`0x75c`
VirtualAddress	`0x47000`
SizeOfRawData	`0x800`
PointerToRawData	`0x40c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.24013`

Imports

USER32.dll	`CreateWindowExW` `MessageBoxW` `MessageBoxA` `SystemParametersInfoW` `DestroyIcon` `SetWindowLongPtrW` `GetWindowLongPtrW` `GetClientRect` `InvalidateRect` `ReleaseDC` `GetDC` `DrawTextW` `GetDialogBaseUnits` `EndDialog` `DialogBoxIndirectParamW` `MoveWindow` `SendMessageW`
COMCTL32.dll	`#380`
KERNEL32.dll	`IsValidCodePage` `GetStringTypeW` `GetFileAttributesExW` `HeapReAlloc` `FlushFileBuffers` `GetCurrentDirectoryW` `GetACP` `GetOEMCP` `GetModuleHandleW` `MulDiv` `GetLastError` `SetDllDirectoryW` `GetModuleFileNameW` `CreateSymbolicLinkW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `GetCPInfo` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetTempPathW` `WaitForSingleObject` `Sleep` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `FreeLibrary` `LoadLibraryExW` `SetConsoleCtrlHandler` `FindClose` `FindFirstFileExW` `CloseHandle` `GetCurrentProcess` `LocalFree` `FormatMessageW` `MultiByteToWideChar` `WideCharToMultiByte` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `WriteConsoleW` `SetEndOfFile` `SetEnvironmentVariableW` `RtlUnwindEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetCommandLineA` `CreateFileW` `GetDriveTypeW` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `RemoveDirectoryW` `FindNextFileW` `SetStdHandle` `DeleteFileW` `ReadFile` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW`
ADVAPI32.dll	`OpenProcessToken` `GetTokenInformation` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertSidToStringSidW`
GDI32.dll	`SelectObject` `DeleteObject` `CreateFontIndirectW`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x374`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50146`
MD5	`3335ecf9c14b0c39e938e781f9b24b52`
SHA1	`a39658b99a412eeb5dc0a3eec003ed159241945b`
SHA256	`10f7d94de05372c264638ee81ffa0ebd4f5aa8b94efd93736c804e1a39dfb8f6`
SHA3	`b703077e1bd33d9cfbf21cb33046f95af381c24e2c358d8b07ca98227dda3d9c`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.22621.2506
ProductVersion	10.0.22621.2506
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	MDMAgent
FileVersion (#2)	10.0.22621.2506 (WinBuild.160101.0800)
InternalName	MDMAgent
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	MDMAgent
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.22621.2506

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Dec-20 18:29:38
Version	`0.0`
SizeofData	`772`
AddressOfRawData	`0x3a860`
PointerToRawData	`0x39a60`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003e018`
GuardCFCheckFunctionPointer	`5368886304`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x853fae11`
Unmarked objects	`0`
ASM objects (30795)	`8`
C++ objects (30795)	`188`
C objects (30795)	`10`
253 (VS 2015-2022 runtime 32533)	`4`
C++ objects (VS 2015-2022 runtime 32533)	`40`
C objects (VS 2015-2022 runtime 32533)	`17`
ASM objects (VS 2015-2022 runtime 32533)	`9`
Imports (30795)	`11`
Total imports	`139`
C objects (32826)	`21`
Linker (32826)	`1`

Errors

Leave a comment

No comments yet.