Manalyze report for 89fd50b5d8e2e028364277a16783b5f39b465b6a31bb3f6698c785603bdd906e

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata` `Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread`
Info	The PE is digitally signed.	`Signer: editions.geo.hosted.abcotvs.com` `Issuer: Amazon RSA 2048 M04`
Malicious	VirusTotal score: 28/71 (Scanned on 2026-06-08 01:38:21)	`APEX: Malicious` `AVG: Win64:Evo-gen [Trj]` `Alibaba: Backdoor:Win64/Kryptik.b132bef7` `Avast: Win64:Evo-gen [Trj]` `Avira: TR/W64.Evo` `Bkav: W32.Malware.59C05D6D` `CrowdStrike: win/malicious_confidence_90% (D)` `DeepInstinct: MALICIOUS` `ESET-NOD32: WinGo/Kryptik.TG trojan` `Elastic: malicious (high confidence)` `F-Secure: Trojan.TR/W64.Evo` `Fortinet: W64/Kryptik.TG!tr` `Google: Detected` `Ikarus: Win32.Outbreak` `Kaspersky: Backdoor.Win64.Gsb.gen` `Kingsoft: Win64.Backdoor.Gsb.gen` `McAfeeD: ti!89FD50B5D8E2` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Rising: Backdoor.Gsb!8.1DB49 (CLOUD)` `Sangfor: Trojan.Win64.Kryptik.Vptt` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Win32.Trojan.FalseSign.Najl` `TrellixENS: Artemis!FA6E4CF5A8ED` `Varist: W64/Agent.MCL.gen!Eldorado` `alibabacloud: Backdoor:Multi/Wacatac.B9nj` `huorong: Trojan/Loader.sh`

Hashes

MD5	`fa6e4cf5a8ed135a67e3b62b0e1166cf`
SHA1	`aefcca99b7835b3870433a7fd569ffaacad04436`
SHA256	`89fd50b5d8e2e028364277a16783b5f39b465b6a31bb3f6698c785603bdd906e`
SHA3	`331a298f421566d011561a2fe5369ab75952a378ddd554edb8deb53c8543df9e`
SSDeep	`24576:eQMc6xGr2XI8SZDZFHcz2AEMlSy8HEMlSYbxXkVR9On5iFBele7t9Dyifcm+qCY:etVxWdbZt5caAEMz8HJXkzcicYCY`
Imports Hash	`d42595b695fc008ef2c56aabd8efd68e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x215a00`
NumberOfSymbols	`2704`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0xcd000`
SizeOfInitializedData	`0xf000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000072F60 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x281000`
SizeOfHeaders	`0x600`
Checksum	`0xb38bc0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d5b3337738699405ec7be0ee7f3e5d76`
SHA1	`b177ddd8b463e7ca84f89fe6616ca52321df723a`
SHA256	`e00b1f85d2b0aa3e674328a363638973b3d57c502e7dc3b8b570fa693eda2c32`
SHA3	`d64a3328c3a5f1da6440de27b58de0b15cd6232dee58868cedf930b6f0bb76bd`
VirtualSize	`0xcce11`
VirtualAddress	`0x1000`
SizeOfRawData	`0xcd000`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.26212`

.rdata

MD5	`84503c5ef1fa6a879101ac01fd173fcc`
SHA1	`01b0e072a9962f9e3072e1a2059fc34718ffaac0`
SHA256	`a11d061d0ea9f342a2b2c33597ec010d99b8fbc35cb2624c6ed35501395fac78`
SHA3	`c27efcde5e8ae3796052496bdf1c2dcf862543d2052d8c7e4c275b0432652f44`
VirtualSize	`0x12f338`
VirtualAddress	`0xce000`
SizeOfRawData	`0x12f400`
PointerToRawData	`0xcd600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.29113`

.data

MD5	`f3fe19156f840256268fdff50423bed1`
SHA1	`8577364d9e26c8cdfbc7a1b28d6c287f5aff0aaf`
SHA256	`bfe1d65d1ad11337e99d9162e7bbee828fc526abed80a8771cfb9edbb5585abc`
SHA3	`44c845faf09578a56601ac11f8c7d3410316c98c8d7e95c1814413424f2e41cd`
VirtualSize	`0x58228`
VirtualAddress	`0x1fe000`
SizeOfRawData	`0xf000`
PointerToRawData	`0x1fca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.51035`

.pdata

MD5	`5efed64401408570ade4661c946453a7`
SHA1	`62d1b347f612f15209735790822115b9d5fe0624`
SHA256	`2f463449e6b2963e3e49b8b18f510bbff89a142aae63c954f0a2035f4581f318`
SHA3	`cda9be35713d3fc586076ea4fc2279b3d261206a1ba5d75c5fad1d9a94da5e12`
VirtualSize	`0x50dc`
VirtualAddress	`0x257000`
SizeOfRawData	`0x5200`
PointerToRawData	`0x20ba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.21941`

.xdata

MD5	`c42d78863144f52917dd46839e1996d4`
SHA1	`c5c9de0a652c61dee4f84358a991b1590301e78d`
SHA256	`5ca05ad29f2036b3f41bdff0314c8f1a886d6fa398671a9d05b93e6366acb5f4`
SHA3	`bf4855afddffd856b1186351d4cb6457596aee30fa0f0bac227162eb06c515b1`
VirtualSize	`0xb4`
VirtualAddress	`0x25d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x210c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.78321`

.idata

MD5	`7c59e10a241e16096cc71745abb1c2ca`
SHA1	`d6770488c5103ea77f3f90c207cc89620b961a66`
SHA256	`ca7a19b9dfa4919ab04bd2bb75e561639399d24cfb5c93efa3df7d167acedf67`
SHA3	`e31481f891dbbcadf16f646e88c5a8b40f216cd5816575639bee58906b69f161`
VirtualSize	`0x53e`
VirtualAddress	`0x25e000`
SizeOfRawData	`0x600`
PointerToRawData	`0x210e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.01057`

.reloc

MD5	`7b5a44a8ba6a06b489c5890e2bb7c234`
SHA1	`160316360423ac59589d3d60c2aa5fa81d10ae8e`
SHA256	`a6973e9cbe4e6deda89f47a2c3da05e85aa435fe123382501fcc4d5580c79cb3`
SHA3	`f983f39ec77fb0a7b0e63354faeac51d2941e2992e44ba44e05ee47737ed13b6`
VirtualSize	`0x4434`
VirtualAddress	`0x25f000`
SizeOfRawData	`0x4600`
PointerToRawData	`0x211400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.41512`

.symtab

MD5	`5e8f7da90dd1f995655d9f657f5a6727`
SHA1	`f6defc20f566b16ff7b92e7fdfbf930c12796248`
SHA256	`64a1e07d50e32a54128a069a3c90128a97d0dd6f0bac87131b936b9189736f4f`
SHA3	`752a2d8e9b5df2b383ce28fe8d627d6715da083d76ab1129895d2b9ef4d1de74`
VirtualSize	`0x1cfe6`
VirtualAddress	`0x264000`
SizeOfRawData	`0x1d000`
PointerToRawData	`0x215a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.07882`

Imports

kernel32.dll	`WriteFile` `WriteConsoleW` `WerSetFlags` `WerGetFlags` `WaitForMultipleObjects` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `TlsAlloc` `SwitchToThread` `SuspendThread` `SetWaitableTimer` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `ResumeThread` `RaiseFailFastException` `PostQueuedCompletionStatus` `LoadLibraryW` `LoadLibraryExW` `SetThreadContext` `GetThreadContext` `GetSystemInfo` `GetSystemDirectoryA` `GetStdHandle` `GetQueuedCompletionStatusEx` `GetProcessAffinityMask` `GetProcAddress` `GetErrorMode` `GetEnvironmentStringsW` `GetCurrentThreadId` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateWaitableTimerExW` `CreateThread` `CreateIoCompletionPort` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler` `AddVectoredContinueHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Yara callback received an unhandled message (6).

Leave a comment

No comments yet.