Manalyze report for 825fbab710f4bfbc1a0c80a56b7cf7f0

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	2 callback(s) detected.

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe`
Suspicious	The PE is possibly packed.	`Unusual section name found: /4` `Unusual section name found: .xdata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Code injection capabilities (process hollowing): ResumeThread SetThreadContext WriteProcessMemory` `Possibly launches other programs: CreateProcessA` `Memory manipulation functions often used by packers: VirtualAllocEx VirtualProtect VirtualProtectEx` `Manipulates other processes: WriteProcessMemory`
Suspicious	The file contains overlay data.	`14 bytes of data starting at offset 0x4cc00.`
Malicious	VirusTotal score: 25/59 (Scanned on 2021-04-08 08:11:06)	`Elastic: malicious (high confidence)` `FireEye: Generic.mg.825fbab710f4bfbc` `Cylance: Unsafe` `Sangfor: Backdoor.Win32.CobaltStrike.L` `Alibaba: Backdoor:Win32/CobaltStrike.e9b6b51d` `K7GW: Trojan ( 0050e1491 )` `Cybereason: malicious.f4e00a` `Symantec: Backdoor.Cobalt` `ESET-NOD32: a variant of Win64/RiskWare.CobaltStrike.Artifact.A` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Trojan.CobaltStrike-9044898-1` `AegisLab: Trojan.Win32.Malicious.4!c` `eGambit: Unsafe.AI_Score_58%` `Kingsoft: Win32.Troj.Undef.(kcloud)` `GData: Win64.Trojan.Agent.SZANRY` `Cynet: Malicious (score: 100)` `McAfee: Artemis!825FBAB710F4` `TrendMicro-HouseCall: TROJ_GEN.R002H01D721` `SentinelOne: Static AI - Malicious PE` `Fortinet: PossibleThreat.PALLASNET.H` `Webroot: W32.Trojan.Gen` `Panda: Trj/CI.A` `CrowdStrike: win/malicious_confidence_90% (W)` `Qihoo-360: Win64/Trojan.Generic.HgEASSQA`

Hashes

MD5	`825fbab710f4bfbc1a0c80a56b7cf7f0`
SHA1	`25110bff4e00ad80ca26bb38c084bbe6c2dc3ba4`
SHA256	`68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e`
SHA3	`c80e9d146e08043e580d8a9b1361ca32a09e50970a6d22b87c9c13f611601e43`
SSDeep	`6144:BzEfZJVX/pQEGCq6Wph5Y6p8UvsYJ9+6I/90C+OyeJjBhq:BGZJV6Ed3v6p8Uv19+sErBhq`
Imports Hash	`659cb99b53c4406dda332310ca49ae1c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x4cc00`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x7400`
SizeOfInitializedData	`0x4c800`
SizeOfUninitializedData	`0xe00`
AddressOfEntryPoint	`0x00000000000014C0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x54000`
SizeOfHeaders	`0x400`
Checksum	`0x576a0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`46ad51ac51245a61bebccec196b029b1`
SHA1	`b35e657ccc02cacd424b60af190dfbf43d34c91b`
SHA256	`8f9c6d67b20b7cfb47e0f33f257bc33cb18db973e5ff61d327581516e927f36c`
SHA3	`b0d07928f91abbdf166765aaf7645a68200d0df3b767dfaee8c5a3f093740c92`
VirtualSize	`0x7278`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.2842`

.data

MD5	`6edfb7018cdccc90f915d3ee96642457`
SHA1	`d7f1576c9fe69cfb95dd9685b565a187633592aa`
SHA256	`724919f0c19042fef50371ac80b892faa1b0125a973456e39f9745884ca49b15`
SHA3	`ca734f20beb94886d5d1e5f500848b5ac97d7d94d3efbb6ccecb9192c0fceaa1`
VirtualSize	`0x42500`
VirtualAddress	`0x9000`
SizeOfRawData	`0x42600`
PointerToRawData	`0x7800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.27258`

.rdata

MD5	`b3afde346c883c3d072841010f3576e9`
SHA1	`09440a47b2b6a3f44866770afcddbfe54dc46d7e`
SHA256	`2db27fbde67d21f9f2c68fb65b1b710f7ccee78c2288ffb6fdf1d3883c5894d2`
SHA3	`2c2000991decdd0a4022f0325ebe6ca04fbb04991f11a2e63bb1b9dd9e78b6ee`
VirtualSize	`0xe70`
VirtualAddress	`0x4c000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x49e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.18592`

/4

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x4`
VirtualAddress	`0x4d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x4ae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.pdata

MD5	`218b3452c79525b8e11f357fae1c8bdf`
SHA1	`1021e0039cebb60b16ce65afc81fa112d59f39a4`
SHA256	`d2aa0b4d968ecbf54677cdc7bd270d210be2943ddcc314e6acd92831f0f0baa8`
SHA3	`d3124ea87aba7cdd0adcb193dbcb6fd74d0d342d8ec6a07baa747861d6e1c792`
VirtualSize	`0x510`
VirtualAddress	`0x4e000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.04689`

.xdata

MD5	`15536cf446e49bd17ab4d9ed36b819d3`
SHA1	`ec6b2111330275eaa85571642b512d4257757b44`
SHA256	`8f773abbe6c3e11aad910336c9ae9227e88145f505a6a15ba7577346dba1d10e`
SHA3	`3753ecb77035870e9a2a6fb340854bfadea4558bc4a80c6a30d47b9020c484ba`
VirtualSize	`0x4b8`
VirtualAddress	`0x4f000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.78271`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc60`
VirtualAddress	`0x50000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`00298a5c07a15831bb437a16c319268e`
SHA1	`abc409ae2767007ea8644d7b90ab7e2368929d99`
SHA256	`818c28e4c63fc8e739bb0a7d574e3dfa26c1ac17cd154d26ae83b0ee36b4d1c5`
SHA3	`3efe22d5a4525948dc2eb146a74dc5b62db6f4bcb906737b77f71bf12bc26d75`
VirtualSize	`0xb14`
VirtualAddress	`0x51000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x4bc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.22276`

.CRT

MD5	`f440cc70fa8c64e2afe75ad7b7f52725`
SHA1	`e748c3715f8d53beb3c2141b1e10e78fec2b5ba0`
SHA256	`e25cad6592249c9958c47aa8c9ba9d04a9b5e60c4fb9ca336411687ef2752ba5`
SHA3	`57e3205bbc07f52dc3e31ef2643b4debe7c0d1d3edbbb92d1203c12d22b7f648`
VirtualSize	`0x68`
VirtualAddress	`0x52000`
SizeOfRawData	`0x200`
PointerToRawData	`0x4c800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.253738`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x53000`
SizeOfRawData	`0x200`
PointerToRawData	`0x4ca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

Imports

ADVAPI32.dll	`RegisterServiceCtrlHandlerA` `SetServiceStatus` `StartServiceCtrlDispatcherA`
KERNEL32.dll	`CloseHandle` `ConnectNamedPipe` `CreateFileA` `CreateNamedPipeA` `CreateProcessA` `CreateThread` `DeleteCriticalSection` `EnterCriticalSection` `ExitProcess` `FreeLibrary` `GetCurrentProcess` `GetEnvironmentVariableA` `GetLastError` `GetModuleHandleA` `GetProcAddress` `GetStartupInfoA` `GetThreadContext` `GetTickCount` `InitializeCriticalSection` `IsDBCSLeadByteEx` `LeaveCriticalSection` `LoadLibraryA` `MultiByteToWideChar` `ReadFile` `ResumeThread` `SetThreadContext` `SetUnhandledExceptionFilter` `Sleep` `TlsGetValue` `VirtualAllocEx` `VirtualProtect` `VirtualProtectEx` `VirtualQuery` `WideCharToMultiByte` `WriteFile` `WriteProcessMemory`
msvcrt.dll	`__C_specific_handler` `___lc_codepage_func` `___mb_cur_max_func` `__getmainargs` `__initenv` `__iob_func` `__lconv_init` `__set_app_type` `__setusermatherr` `_acmdln` `_amsg_exit` `_cexit` `_commode` `_errno` `_fmode` `_initterm` `_onexit` `_snprintf` `abort` `calloc` `exit` `fprintf` `fputc` `free` `fwrite` `localeconv` `malloc` `memcpy` `memset` `signal` `strerror` `strlen` `strncmp` `vfprintf` `wcslen`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x453000`
EndAddressOfRawData	`0x453008`
AddressOfIndex	`0x45015c`
AddressOfCallbacks	`0x452040`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000000401D40` `0x0000000000401D10`

Load Configuration

RICH Header

Errors

[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Section .bss has a size of 0!
[*] Warning: Raw bytes from section .text could not be obtained.