93136d1384146063bc3ff5e1f0925f14

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2023-May-25 18:42:28

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Functions related to the privilege level:
  • OpenProcessToken
 Enumerates local disk drives:
  • GetDriveTypeW
Suspicious The file contains overlay data. 21138819 bytes of data starting at offset 0x4e600.
The overlay data has an entropy of 7.99875 and is possibly compressed or encrypted.
Overlay data amounts for 98.5041% of the executable.
Malicious VirusTotal score: 26/64 (Scanned on 2023-05-26 17:48:18) MicroWorld-eScan: Generic.Trojan.Stealer.D.FDD38524
McAfee: Artemis!93136D138414
Malwarebytes: Agent.Spyware.Stealer.DDS
VIPRE: Generic.Trojan.Stealer.D.FDD38524
Symantec: Trojan.Gen.MBT
Elastic: malicious (high confidence)
Kaspersky: UDS:Trojan-PSW.Win64.Alien.cmo
Alibaba: TrojanSpy:Win64/Genric.21ebf96e
Avast: Python:Agent-IR [Trj]
Emsisoft: Generic.Trojan.Stealer.D.FDD38524 (B)
F-Secure: Heuristic.HEUR/AGEN.1358346
McAfee-GW-Edition: Artemis
Sophos: Mal/Generic-S
Ikarus: Trojan-Spy.Python.TokenGrabber
Avira: HEUR/AGEN.1358346
MAX: malware (ai score=80)
Arcabit: Generic.Trojan.Stealer.D.FDDD967C
ZoneAlarm: UDS:Trojan-PSW.Win64.Alien.cmo
Microsoft: Trojan:Win32/Sabsik.FL.B!ml
Cynet: Malicious (score: 99)
Cylance: unsafe
TrendMicro-HouseCall: TROJ_GEN.R002H0CEQ23
Tencent: Win32.Trojan.Agen.Cplw
Fortinet: W32/PossibleThreat
AVG: Python:Agent-IR [Trj]
DeepInstinct: MALICIOUS

Hashes

MD5 93136d1384146063bc3ff5e1f0925f14
SHA1 98613f4734bb635d8ca1059f343ab1c8ac03d2b6
SHA256 b4505ef6d240c605cb39e2861b642007dc51e0c48f561b0675ee0b736d1d2721
SHA3 02f5a22b7b8f7ec0994725ad6f942ce820ef44cfb7d8d6b7a934a508cd19fd46
SSDeep 393216:oqPnLFXlodzrzlIBRPQDCSiGY3gMreIJ6ZjWWZuCQrrq/:ZPLFXCdzrUPQmBbEN/0a
Imports Hash 1e92fd54d65284238a0e3b74b2715062

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2023-May-25 18:42:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x28800
SizeOfInitializedData 0x25a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000AFA0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x63000
SizeOfHeaders 0x400
Checksum 0x147c10a
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x1e8480
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 e4f89af1ba6511882cb4cd14d9f6eca0
SHA1 e15872f0de54a6d043e4393fbd549ea1610b0883
SHA256 550794614c690c52a39442d4b03d8ace73310fa017af86f805ae7b1c53a15579
SHA3 44764196b9d1273e7d8c1238bd284da76be19118db990962fe941c2efddb6f25
VirtualSize 0x28710
VirtualAddress 0x1000
SizeOfRawData 0x28800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.48668

.rdata

MD5 c65e4865bce85fa7647d4dad8a9001e7
SHA1 2a91a1731e8f6aed1248facc4d828e499ab36637
SHA256 524250c3261837995d59fd74406b18728e4c35eb34df6da8e64e180ea9fa5f7a
SHA3 feb4a75a31650e4b709864afa920403588dfe4b7e7a568496690e515a81767b6
VirtualSize 0x1282e
VirtualAddress 0x2a000
SizeOfRawData 0x12a00
PointerToRawData 0x28c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.81295

.data

MD5 8197d15b5af8fff7ec6022f8809b64c8
SHA1 d4c953f89fd70f37e55ba6c4ce6eebd2bc17e4db
SHA256 1a8fb0038b774849fe3d43f37238d5187a822565cac22993ac8a41399f4b2271
SHA3 15d5ffaa1f4813fe009650e84b6bb9f0effd1f0f337e18bed98f1e91007a6801
VirtualSize 0x103e8
VirtualAddress 0x3d000
SizeOfRawData 0xe00
PointerToRawData 0x3b600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.80114

.pdata

MD5 77e2f2d72516a8aa1832e8298e54381f
SHA1 e2a1cf46fa7fcdbc7939358c02a9de9d85500ef8
SHA256 8848caf0d81aa6b949205a16b480298c1d42e55362fb205096585c0db5623d2f
SHA3 e054433c8821facbc495289d2abc47e0decd459b62e68a08859d7b0a91638324
VirtualSize 0x20a0
VirtualAddress 0x4e000
SizeOfRawData 0x2200
PointerToRawData 0x3c400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.32575

_RDATA

MD5 0ed86077474ad8a4a0621ecbc29cb84c
SHA1 354e5acb26cebcef4e637aaf6bae5f3a05ee3243
SHA256 f8e1067f27ef4dd285d67b5fad70843b9734f550ed2ad05008f402c5aab8f640
SHA3 12862df761f55699044d2f84b12df4f4b57fcf75f0ee9523ebdcb5255a80f51d
VirtualSize 0x15c
VirtualAddress 0x51000
SizeOfRawData 0x200
PointerToRawData 0x3e600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.75792

.rsrc

MD5 ac8c7cbe6626a5ff9e2bb1338d967035
SHA1 de01d1fdfeee73131e7f47a08c86957cd254bd13
SHA256 c4d9543db1f13c0ecbfac8d1d7eedaf18794a68b07abc91e4bdec149fcaf0ad3
SHA3 53d807d8872b3f8130f52ec601b70251f07a149e5de3a0b93d5cd3569c2dbcdf
VirtualSize 0xf498
VirtualAddress 0x52000
SizeOfRawData 0xf600
PointerToRawData 0x3e800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.55557

.reloc

MD5 7fed9a3addc55d51107d5af5a380ab8e
SHA1 7d1edc41fd0cf54f92d860819a4ea04e5f5c470b
SHA256 6a91a13b5a6053039e336a1beb9fbf515f5ca5f1085c1c1d2103a57483b09ce4
SHA3 f4f110aa31d23465f15f44c7eb97887ff352491ad41e70ac5a3119c73a0a8948
VirtualSize 0x754
VirtualAddress 0x62000
SizeOfRawData 0x800
PointerToRawData 0x4de00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.23933

Imports

USER32.dll CreateWindowExW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW
COMCTL32.dll #380
KERNEL32.dll IsValidCodePage
GetStringTypeW
GetFileAttributesExW
HeapReAlloc
FlushFileBuffers
GetCurrentDirectoryW
GetACP
GetOEMCP
GetModuleHandleW
MulDiv
GetLastError
SetDllDirectoryW
GetModuleFileNameW
GetProcAddress
GetCommandLineW
GetCPInfo
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LoadLibraryExW
FindClose
FindFirstFileExW
CloseHandle
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
WriteConsoleW
SetEndOfFile
GetEnvironmentVariableW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
SetConsoleCtrlHandler
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
ADVAPI32.dll OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
GDI32.dll SelectObject
DeleteObject
CreateFontIndirectW

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.15653
MD5 15d6a8563184abef13a1ee75aea262ad
SHA1 d7d896432efd845f283f2b98a66486df05bf5e10
SHA256 7cccfafd00332ac9c9f6ac0112cc0653991eb169943919e55d05f3fa15929821
SHA3 93904dad7224f31021bf8d53753e553f8233c2f40f6dbe25e67b692c6ae378ab

2

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.44895
MD5 1c06420cfb94514d35c088699a04774d
SHA1 2c23d7df4bc8ce3fb15f33e78c042b12814aea3b
SHA256 d73c1848a067a0fd094423213dc1e855b5b29b0b441f0bcb315feb90d662972e
SHA3 a630c0bd054ccf853d3673897d2a553e10797d288b3f09898503304ecec7d7f3

3

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.77742
MD5 db1208cf5d76055be1c3a34567af9f5a
SHA1 c5adcd7407c8b18459e4b4ce96fb70ecf5701a97
SHA256 5a008270f7254f5ca861e9936f4b5b7a23c04d63165895234fd1782bc03ec0e5
SHA3 549076010917e74ff3fe656848779d90468b96740184b07016dbf2833e9abf99

4

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x952c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.95095
Detected Filetype PNG graphic file
MD5 f6fbada22d6a6c07ef8fdaa504f117d5
SHA1 591a723501eff1a4920462f8efcaf3715e829450
SHA256 3919b11194f130d310dfe08bdce2891c5b64f2703107f53a5a1cbc016fdb609f
SHA3 ceca597fff3f436773eb9e48be245ce9d24439b9527a0d3aedaa1469e49d3f5c

5

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.0521
MD5 86ce219c337119fe35646823cb56d091
SHA1 74d3090f01f3128bda93a3a7525f139c495bffbd
SHA256 7ef5a24efde1748c0eb12c5817b14cfe1397ae968489a7824a269d02c8223cee
SHA3 8daaa7aab035df895cb478d3b92385d12aebd96c8bbde3a05a615ff56d41aebf

6

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.15081
MD5 58b7700e8f20d0a3c77021eb7e7019dc
SHA1 87f7668b96ab48bd6ba5c8b9968dbb024a028407
SHA256 c5536b396be6dcfc96f4e4f77cc7007b2a56730ee57598a6979cc1c1c71c920a
SHA3 13bb36cea0c569109ddca6560016003d3ce662f8e0bc189e9750019ccdc7bc72

7

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.39466
MD5 9de69c1c4b3a06597da9c275b38bffb6
SHA1 a4ed3bd1bb4edc0eaa187b68929f596906e9ee87
SHA256 ac2e25dc4a4f7bd96a0bcf3ea63cd1bcf26a6f6a05835e32f96ef99cb4323f30
SHA3 6ff197b54509b5c0fa643d6bdbc756cccec2b5bc8495c770883c021e833f7509

0

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.71858
Detected Filetype Icon file
MD5 cd3a631eace19041876b4c4c6ec8461a
SHA1 d4b3f99c4d648e3446dc05e7fb6e444e42dfed01
SHA256 f5b94a42f1c77c9eef858a0dfd656419fea900b00318c2c0bf49c2fce345d838
SHA3 b6dcbb1b4c262eb5aee12773a52c29ff20fef809a4e61822700d005457944b9f

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x589
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.28434
MD5 2a8d9d6d31060e96d33d093d7325b388
SHA1 a5ad8fb9e2fb2c7196ed5e6765f4282951bb6cac
SHA256 12db3407b99e511bf7c5216f00ab02e6b383f2873644f0121558fbec50fc3efa
SHA3 516d2157e0ccf14ee7940d9b9c9631a2316555735504dcb4c6661149b05ade45

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2023-May-25 18:42:28
Version 0.0
SizeofData 772
AddressOfRawData 0x3966c
PointerToRawData 0x3826c

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14003d000
GuardCFCheckFunctionPointer 5368882200
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xa4b59193
Unmarked objects 0
ASM objects (29395) 7
C++ objects (29395) 190
C objects (29395) 10
253 (VS 2015-2022 runtime 30818) 4
C++ objects (VS 2015-2022 runtime 30818) 40
C objects (VS 2015-2022 runtime 30818) 17
ASM objects (VS 2015-2022 runtime 30818) 9
Imports (29395) 11
Total imports 139
C objects (VS2022 Update 2 (17.2.0-1) compiler 31328) 20
Linker (VS2022 Update 2 (17.2.0-1) compiler 31328) 1

Errors

<-- -->