Manalyze report for 7d7f0dbc4d3279d8c31a7a4526fd201aad042359829bcf2189746495fa97bbd4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Aug-28 21:40:59

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .mcgk` `Section .mcgk is both writable and executable.` `The PE only has 1 import(s).`
Malicious	VirusTotal score: 54/71 (Scanned on 2026-04-09 13:41:58)	`ALYac: Generic.ShellCode.Marte.3.E68A050C` `APEX: Malicious` `AVG: Win32:Meterpreter-C [Trj]` `AhnLab-V3: Trojan/Win.Generic.R734916` `Antiy-AVL: Trojan/Win32.Meterpreter` `Arcabit: Generic.ShellCode.Marte.3.E68A050C` `Avast: Win32:Meterpreter-C [Trj]` `Avira: TR/Crypt.XPACK.Gen` `BitDefender: Generic.ShellCode.Marte.3.E68A050C` `Bkav: W32.AIDetectMalware` `CTX: exe.unknown.marte` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.Inject6.5094` `ESET-NOD32: Win32/Rozena.BZ trojan` `Elastic: Windows.Trojan.Metasploit` `Emsisoft: Generic.ShellCode.Marte.3.E68A050C (B)` `F-Secure: Trojan.TR/Crypt.XPACK.Gen` `Fortinet: W32/Rozena.D!tr` `GData: Win32.Backdoor.Swrort.C` `Google: Detected` `Gridinsoft: Malware.Win32.Gen.bot!se23023` `Ikarus: Trojan.Win32.Rozena` `Jiangmin: Trojan.Generic.guisj` `K7AntiVirus: Trojan ( 00117be11 )` `K7GW: Trojan ( 00117be11 )` `Kaspersky: HEUR:Trojan.Win32.Generic` `Malwarebytes: Trojan.MetaSploit` `MaxSecure: Trojan.Malware.121218.susgen` `McAfeeD: Real Protect-LS!6C9AF6B275B4` `MicroWorld-eScan: Generic.ShellCode.Marte.3.E68A050C` `Microsoft: Trojan:Win32/Meterpreter.RPZ!MTB` `NANO-Antivirus: Virus.Win32.Gen.ccmw` `Rising: HackTool.Swrort!1.6477 (CLASSIC)` `SUPERAntiSpyware: Trojan.Agent/Gen-Crypt` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.Infected.zz` `Sophos: Troj/Swrort-K` `Tencent: Trojan.Win32.Metasploit_heur.16000690` `Trapmine: malicious.high.ml.score` `TrellixENS: Trojan-JBAQ!6C9AF6B275B4` `TrendMicro-HouseCall: Trojan.Win32.VSX.PE04C9z` `VBA32: BScope.Trojan.Meterpreter` `VIPRE: Generic.ShellCode.Marte.3.E68A050C` `Varist: W32/Trojan.JFLT-0704` `VirIT: Trojan.Win32.Rozena.AA` `Webroot: W32.Trojan.Agent.Gen` `ZoneAlarm: Troj/Swrort-K` `Zoner: Probably Heur.ExeHeaderL` `alibabacloud: Backdoor:Win/shellcode.api(dyn)` `huorong: HVM:Trojan/Swrort.gen!A`

Hashes

MD5	`6c9af6b275b49f9141f19cfce343c81f`
SHA1	`e407ad70f5f5b059a75b920ed6e6f989bb93975e`
SHA256	`7d7f0dbc4d3279d8c31a7a4526fd201aad042359829bcf2189746495fa97bbd4`
SHA3	`12582c192c895b6d5733a6a30fe4542a8b0d03651b447651f3e3f8b700c321c9`
SSDeep	`24:eFGSG9wSVUICMy58XZh9h9ClfAhWYhIAJvTP4up+:iG+Ax7yeXZh9hMluWYxJr4b`
Imports Hash	`c2d02fc98f1d75d7b9457468ec75da0e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2025-Aug-28 21:40:59
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`1.0`
SizeOfCode	`0x2000`
SizeOfInitializedData	`0x3000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00005000 (Section: .mcgk)`
BaseOfCode	`0x1000`
BaseOfData	`0x2000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x51c8`
SizeOfHeaders	`0x288`
Checksum	`0x7cfd`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0738767f162380434ddd6456cb8bce58`
SHA1	`6bcce489633e91ff63be6f125638b2c61e62a62c`
SHA256	`28603f29d0880c124d44acf9a45945e13f6cc7bc90615380142c19bc9bbe54e0`
SHA3	`2e743252397e528605eb0b9901c30a5dc2a95cb9972b94f0a299615cf3ddefb7`
VirtualSize	`0x28`
VirtualAddress	`0x1000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`0.598323`

.rdata

MD5	`e0500532ecb4a73aeab25350434d9153`
SHA1	`5eddcbfae4e477efd6f560712030e78dc2a32862`
SHA256	`7b6d158f8a65988e941ac778e85aebb22988adafe8fd568dfdb4cdac699e225e`
SHA3	`082f43cb65987beba745675b0c24a351fb5240f53e4cfbd719dfa7491e1549cd`
VirtualSize	`0x160`
VirtualAddress	`0x2000`
SizeOfRawData	`0x200`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.57901`

.data

MD5	`4e4dbc1129eafd947386ae894c7d621e`
SHA1	`bfa4d2bba59321a9a42f2e145c9319874a8ee64e`
SHA256	`a9fd64ffbf779c67c0578a547f441b4ee8192f5484d14993b7898c00cf9b8328`
SHA3	`f068c6c0c0c4994dac80616ad2adf172f7f7cd54272936f0b9b76c482fd9c033`
VirtualSize	`0x1000`
VirtualAddress	`0x3000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0257642`

.reloc

MD5	`8fe7ebb540356c3cbdac1fac82bf3668`
SHA1	`eb7f4bfef8832b513508e79206c03398dfebf3ad`
SHA256	`18b99c3e0535d1d4cc321c67d4d3176fd017fe784259cb90c9e3049c97ebe6a2`
SHA3	`2a83fec71baebb832ffcaa3eed9795d49fc4770becac9a9f29e977ae50762c22`
VirtualSize	`0x10`
VirtualAddress	`0x4000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.144416`

.mcgk

MD5	`94ee1972ea98fc93b1d6ad2338cafc5a`
SHA1	`816d733381228f7bf610bd5e0d0c3030948e4e4e`
SHA256	`190da2f9f6a5e9ff5d4ececc0f4ae276b3ea04d8302d3359f7ea0e5fbd29537b`
SHA3	`6205b371e66707547c15b14480061841351f987f79f7640716ecbf5796426835`
VirtualSize	`0x1c8`
VirtualAddress	`0x5000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.58483`

Imports

KERNEL32.dll	`VirtualProtect`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x946b65dd`
Unmarked objects	`0`
Imports (33140)	`3`
Total imports	`1`
C objects (35207)	`1`
Linker (35207)	`1`

Errors

Leave a comment

No comments yet.