8c1bc5dd1a8547845a076d75aa16aaae

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Oct-25 17:19:32
TLS Callbacks 1 callback(s) detected.

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Looks for VMWare presence:
  • vmx86
 Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • diagnostic.info
  • docs.helix-editor.com
  • editor.com
  • encoding.spec.whatwg.org
  • github.com
  • gitlab.com
  • helix-editor.com
  • https://docs.helix-editor.com
  • https://docs.helix-editor.com/master/languages.html
  • https://docs.rs
  • https://encoding.spec.whatwg.org
  • https://git.sr.ht
  • https://git.sr.ht/
  • https://github.com
  • https://gitlab.com
  • https://json5.org
  • json5.org
  • protonmail.com
  • source.org
  • spec.whatwg.org
  • whatwg.org
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to RC5 or RC6
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Can access the registry:
  • RegEnumKeyExW
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
 Uses Windows's Native API:
  • NtCreateFile
  • NtCancelIoFileEx
  • NtWriteFile
  • NtDeviceIoControlFile
  • NtReadFile
 Leverages the raw socket API to access the Internet:
  • closesocket
  • listen
  • WSAGetLastError
  • getsockopt
  • WSAIoctl
  • recv
  • send
  • WSASend
  • bind
  • connect
  • socket
  • ioctlsocket
  • WSAStartup
  • WSACleanup
  • freeaddrinfo
  • getaddrinfo
  • WSASocketW
  • getsockname
  • shutdown
 Functions related to the privilege level:
  • CheckTokenMembership
  • OpenProcessToken
 Reads the contents of the clipboard:
  • GetClipboardData
Suspicious VirusTotal score: 1/71 (Scanned on 2024-02-12 17:05:48) Jiangmin: TrojanDropper.Dapato.adsa

Hashes

MD5 8c1bc5dd1a8547845a076d75aa16aaae
SHA1 c079bd7d44871f83c1ffad5d5ecdbde3b9c7007d
SHA256 8466176ff84601f0e77dd660f84645ca31bd4945ab856e50c64f61e30f03da4f
SHA3 bf3101dcd7547305dab76d608920e0346e130021dbc95c73fb818eae534d860b
SSDeep 98304:jkrp15+0M1QD9kQkN3zBZXFE+E+yx0Mo2EmUFUXI5YnvMcbUjUFzzIYo24iIvMi:ea+kRHwKUoiSMM5SqDqzsxT7z
Imports Hash 82356315ec59f48686dbec3414fb4fd8

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x108

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 5
TimeDateStamp 2023-Oct-25 17:19:32
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xdc5800
SizeOfInitializedData 0x560800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000D6AD9C (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x132a000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5427d70ab39cb088ba6e04d1caef6f7a
SHA1 db365da657da8e6306c1fdee1ecfad526a267a9a
SHA256 72ba847cf271ba07f33036b91e33c1f3c455bfbdca610fe88fbd92737c7653ba
SHA3 a60f3e19669e018d059ea8b4846fedab651001e5951c352a28c3552e0c08f269
VirtualSize 0xdc57f5
VirtualAddress 0x1000
SizeOfRawData 0xdc5800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.28582

.rdata

MD5 87aec30b4734a526ef7e4ec66b6b2223
SHA1 0f19d1b70b3d2f434b3818a9cec449af4b4eb80d
SHA256 74ef0c777c76a5eb48231a2dd3a805ab93901da2d5ddb095782da421918dd75f
SHA3 a5fa34e95b5fd944481bf08c01816fd2522565fe21926ab484a234460f92ba07
VirtualSize 0x4af5f8
VirtualAddress 0xdc7000
SizeOfRawData 0x4af600
PointerToRawData 0xdc5c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.62986

.data

MD5 64a4f8f9cecc817d3b37ac012a64ac32
SHA1 602f2e757416530279a272e0672b74c5c8e5a93c
SHA256 8bef50cbd6c8b7f110b0143c286467018b2804ae4b87edca0674a1afcd1511b0
SHA3 7c409b2b5cfcfb2ddee66e8530d1114bf52e4474be562e459c3f8ba0cd45d0aa
VirtualSize 0x15c0
VirtualAddress 0x1277000
SizeOfRawData 0xe00
PointerToRawData 0x1275200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.875903

.pdata

MD5 0f9d3e658e6a583db4b9e70737e8cca4
SHA1 ab2e47d96ef0cc4e964c5f42598b9ef7103f5353
SHA256 f3a94bee6105f6cf7fd43bb15f6f4e0bfd0d885f0238fdbdd5653fc13f4045ef
SHA3 2a8b96a4e4d577fc09194e1c5f315efc203845a512b5173472d6143e75c7b86a
VirtualSize 0x9a398
VirtualAddress 0x1279000
SizeOfRawData 0x9a400
PointerToRawData 0x1276000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.81209

.reloc

MD5 b497d43d83b1162afd41e1a90cb42f44
SHA1 bfc0578187a8dbbf9678896ab2e58da919c16e99
SHA256 a90ac601e66ec084e45268b8fc9daff330a232b03df8353dbb9997ec98beccc5
SHA3 a18e65356da54a0ef8d8a33a44496abf5a873b9ebe5b5a35a4dd3325e5d006b7
VirtualSize 0x15710
VirtualAddress 0x1314000
SizeOfRawData 0x15800
PointerToRawData 0x1310400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.46631

Imports

ntdll.dll RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
NtCreateFile
RtlNtStatusToDosError
NtCancelIoFileEx
NtWriteFile
NtDeviceIoControlFile
NtReadFile
kernel32.dll SystemTimeToFileTime
GetCurrentProcess
GetNativeSystemInfo
LocalFree
UnmapViewOfFile
FindClose
TryAcquireSRWLockExclusive
FreeLibrary
SetThreadErrorMode
LoadLibraryExW
GetProcAddress
ReleaseSRWLockShared
AcquireSRWLockShared
GetCurrentProcessId
GetExitCodeProcess
WakeAllConditionVariable
PostQueuedCompletionStatus
GetSystemInfo
SystemTimeToTzSpecificLocalTime
lstrlenW
GlobalLock
CreateSemaphoreW
Sleep
FormatMessageW
CreateConsoleScreenBuffer
WaitForSingleObject
GetFileInformationByHandle
CreateFileMappingW
MapViewOfFile
DuplicateHandle
VirtualProtect
CreateIoCompletionPort
GetQueuedCompletionStatusEx
ReadConsoleInputW
CreateFileW
GetStdHandle
WaitForMultipleObjects
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
GetLastError
SetConsoleMode
GetConsoleMode
GetModuleHandleA
SleepConditionVariableSRW
WakeConditionVariable
GetNumberOfConsoleInputEvents
SetConsoleActiveScreenBuffer
SetConsoleTextAttribute
FreeEnvironmentStringsW
ReleaseMutex
CompareStringOrdinal
TzSpecificLocalTimeToSystemTime
IsProcessorFeaturePresent
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
GetConsoleScreenBufferInfo
GetCommandLineW
SetFilePointerEx
GetOverlappedResult
TerminateProcess
QueryPerformanceFrequency
SetConsoleCursorPosition
ReadFileEx
SleepEx
WriteFileEx
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
FindNextFileW
GetFileInformationByHandleEx
SetFileInformationByHandle
CreateDirectoryW
FindFirstFileW
DeleteFileW
MoveFileExW
RemoveDirectoryW
DeviceIoControl
GetFinalPathNameByHandleW
SetConsoleCursorInfo
SetHandleInformation
GetModuleHandleW
GetModuleFileNameW
SetCurrentDirectoryW
ExitProcess
GetFullPathNameW
CreateNamedPipeW
CreateEventW
ReadFile
CancelIo
GetEnvironmentStringsW
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
WriteConsoleW
ReadConsoleW
CreateThread
GetSystemTimeAsFileTime
CreatePipe
RegisterWaitForSingleObject
UnregisterWaitEx
AcquireSRWLockExclusive
CloseHandle
AddVectoredExceptionHandler
ReleaseSRWLockExclusive
ReleaseSemaphore
QueryPerformanceCounter
SwitchToThread
GlobalUnlock
GlobalFree
GlobalAlloc
GetCurrentThread
HeapReAlloc
HeapFree
GetProcessHeap
HeapAlloc
MultiByteToWideChar
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
WideCharToMultiByte
SetFileCompletionNotificationModes
GlobalSize
GetProcessId
SetThreadStackGuarantee
bcrypt.dll BCryptGenRandom
advapi32.dll RegEnumKeyExW
GetNamedSecurityInfoW
SystemFunction036
CheckTokenMembership
RegQueryValueExW
RegOpenKeyExW
EqualSid
IsWellKnownSid
OpenThreadToken
OpenProcessToken
RegCloseKey
GetTokenInformation
ole32.dll CoTaskMemFree
CoCreateInstance
CoInitializeEx
oleaut32.dll GetErrorInfo
SysStringLen
SysFreeString
user32.dll ToUnicodeEx
GetKeyboardLayout
SetClipboardData
CloseClipboard
GetClipboardData
EmptyClipboard
GetForegroundWindow
GetWindowThreadProcessId
OpenClipboard
shell32.dll SHGetFolderPathW
SHGetKnownFolderPath
ws2_32.dll closesocket
listen
WSAGetLastError
getsockopt
WSAIoctl
recv
send
WSASend
bind
connect
socket
ioctlsocket
WSAStartup
WSACleanup
freeaddrinfo
getaddrinfo
WSASocketW
getsockname
shutdown
userenv.dll GetUserProfileDirectoryW
VCRUNTIME140.dll __CxxFrameHandler3
memmove
memcmp
__current_exception_context
__current_exception
__C_specific_handler
memcpy
_CxxThrowException
memset
api-ms-win-crt-runtime-l1-1-0.dll strerror
_set_app_type
_register_thread_local_exe_atexit_callback
terminate
_c_exit
_cexit
_crt_atexit
__p___argv
__p___argc
_exit
exit
_initterm_e
_wassert
_initterm
_get_initial_narrow_environment
_seh_filter_exe
_register_onexit_function
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
api-ms-win-crt-string-l1-1-0.dll iswctype
strncmp
strlen
wcslen
api-ms-win-crt-math-l1-1-0.dll pow
_fdopen
__setusermatherr
fmod
api-ms-win-crt-heap-l1-1-0.dll realloc
malloc
calloc
free
_set_new_mode
api-ms-win-crt-stdio-l1-1-0.dll __p__commode
__acrt_iob_func
fclose
fputc
__stdio_common_vsprintf
_set_fmode
__stdio_common_vfprintf
fputs
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2023-Oct-25 17:19:32
Version 0.0
SizeofData 836
AddressOfRawData 0x10322c8
PointerToRawData 0x1030ec8

TLS Callbacks

StartAddressOfRawData 0x141032630
EndAddressOfRawData 0x1410328c8
AddressOfIndex 0x141277fc0
AddressOfCallbacks 0x140dc7878
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_8BYTES
Callbacks 0x0000000140C9F6C0

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x141277c18

RICH Header

XOR Key 0xe02fd0cc
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 12
Imports (VS 2015-2022 runtime 32533) 2
253 (VS 2015-2022 runtime 32533) 1
C++ objects (VS 2015-2022 runtime 32533) 24
C objects (VS 2015-2022 runtime 32533) 10
ASM objects (VS 2015-2022 runtime 32533) 4
Imports (30148) 18
Imports (30795) 3
Total imports 244
C objects (VS2022 Update 7 (17.7.4) compiler 32825) 1
Unmarked objects (#2) 1040
Linker (VS2022 Update 7 (17.7.4) compiler 32825) 1

Errors

<-- -->