Manalyze report for 946fcfcbfd3fb51a3b3c74b7f81f2b55

This file seems to be a .NET executable.
Sadly, Manalyzer's analysis techniques were designed for native code, so it's likely that this report won't tell you much.
Sorry!

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2053-Feb-19 18:54:36
Comments	Payload for Umbral Stealer
FileVersion	`1.0.0.0`
ProductVersion	`1.0.0.0`
Assembly Version	1.0.0.0

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C# v7.0 / Basic .NET`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: rshell.exe` `Looks for VMWare presence: vmtools vmware` `Looks for VirtualBox presence: vboxservice vboxtray` `Looks for Qemu presence: qemu` `Miscellaneous malware strings: cmd.exe` Contains domain names: adaware.com avast.com avira.com bitdefender.com bullguard.com ccleaner.com clamav.net discord.com discordapp.com drweb.com emsisoft.com f-secure.com github.com gstatic.com home.sophos.com http://ip-api.com https://discord.com https://discordapp.com https://github.com https://gstatic.com ip-api.com kaspersky.com malwarebytes.com mcafee.com norton.com pandasecurity.com pcprotect.com roblox.com scanguard.com secure.com sophos.com totaladblock.com totalav.com trendmicro.com us.norton.com usa.kaspersky.com virustotal.com zillya.com zonealarm.com
Malicious	VirusTotal score: 52/71 (Scanned on 2026-02-10 12:31:13)	`ALYac: Gen:Variant.Application.Zusy.318918` `APEX: Malicious` `AVG: Win32:UmbralStealer-A [Pws]` `AhnLab-V3: Trojan/Win.MSILZilla.R607210` `Arcabit: Trojan.Application.Zusy.D4DDC6` `Avast: Win32:UmbralStealer-A [Pws]` `Avira: HEUR/AGEN.1365342` `BitDefender: Gen:Variant.Application.Zusy.318918` `Bkav: W32.AIDetectMalware.CS` `CAT-QuickHeal: Trojan.YakbeexMSIL.ZZ4` `CTX: exe.unknown.zusy` `ClamAV: Win.Packed.Msilzilla-9952790-0` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.PWS.Stealer.36948` `ESET-NOD32: MSIL/PSW.Agent.SZC trojan` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Application.Zusy.318918 (B)` `F-Secure: Heuristic.HEUR/AGEN.1365342` `Fortinet: MSIL/Agent.SZC!tr.pws` `GData: MSIL.Trojan-Stealer.UmbralStealer.A` `Google: Detected` `Gridinsoft: Trojan.Win32.Downloader.dd!ni` `Ikarus: Trojan-Spy.MSIL.Agent` `Jiangmin: Trojan.MSIL.aoobx` `K7AntiVirus: Trojan ( 700000201 )` `K7GW: Trojan ( 700000201 )` `Kaspersky: HEUR:Trojan.MSIL.Dizemp.gen` `Malwarebytes: PasswordStealer.Spyware.Stealer.DDS` `MaxSecure: Trojan.Malware.332931040.susgen` `McAfeeD: Trojan:Win/Generic.AUJ` `MicroWorld-eScan: Gen:Variant.Application.Zusy.318918` `Microsoft: Trojan:MSIL/UmbralStealer.DG!MTB` `Panda: Trj/GdSda.A` `Rising: Stealer.Umbral!1.F481 (CLASSIC)` `SUPERAntiSpyware: Trojan.Agent/Gen-Crypt` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Sophos: Troj/Umbral-A` `Symantec: ML.Attribute.HighConfidence` `Tencent: Trojan.Msil.Umbralstealer.16001246` `TrellixENS: GenericRXWC-QA!946FCFCBFD3F` `TrendMicro: TrojanSpy.MSIL.UMBRAL.SMPI` `TrendMicro-HouseCall: TrojanSpy.MSIL.UMBRAL.SMPI` `VBA32: TScope.Trojan.MSIL` `VIPRE: Gen:Variant.Application.Zusy.318918` `Varist: W32/MSIL_Agent.FGE.gen!Eldorado` `VirIT: Trojan.Win32.MSIL_Heur.A` `Yandex: Trojan.PWS.Agent!rtqKLV1qnXc` `ZoneAlarm: Troj/Umbral-A` `huorong: TrojanSpy/MSIL.Discord.n`

Hashes

MD5	`946fcfcbfd3fb51a3b3c74b7f81f2b55`
SHA1	`14444e696be9036abbc1142f94f54ac7a1263b55`
SHA256	`d8547d0d7db16a07dfacf8b86dbbcad08b12e7e60a3d32c8f98aae5a4dc342a0`
SHA3	`9da3614c1fabc52e25db5d2e353b74969915ff665922d427409eba7a78b833f0`
SSDeep	`6144:tloZMEXU9Zx0kt8X0/PSCsMRCzaQcCg/7IKR0STTKzJ4IhD8e1mCgi:voZof0kkP8CzaQcCg/7IKR0STTKzJxh`
Imports Hash	`f34d5f2d4577ed6d9ceec516c1f5a744`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2053-Feb-19 18:54:36
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`48.0`
SizeOfCode	`0x38c00`
SizeOfInitializedData	`0x800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0003AA8E (Section: .text)`
BaseOfCode	`0x2000`
BaseOfData	`0`
ImageBase	`0x400000`
SectionAlignment	`0x2000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x40000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`17225821794c44a83854cc0d8663d9f2`
SHA1	`8cae0086327b04cc3936411203f0c1ae57f3e037`
SHA256	`75175971a7d760fc5330c12f216b45faff18cbcbf276fb56af62e486f42a7ed2`
SHA3	`8484776d0966d4b0192394807a9b32e4281fb7aaf8a5fd5503bee96750549417`
VirtualSize	`0x38a94`
VirtualAddress	`0x2000`
SizeOfRawData	`0x38c00`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.07046`

.rsrc

MD5	`962661cf515c57234d66775c661dfade`
SHA1	`537a7c1ac9289ee273fecc2fe3aa43e0d2434d23`
SHA256	`3daed9966e3f5018657c6aa8e2fd9517df385af76b3313a3463f71df7f52891b`
SHA3	`56b9c8dfe07fd72d2d4427d2942b8959ce4ae7790294d1f882a067d352b87cb0`
VirtualSize	`0x550`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x600`
PointerToRawData	`0x38e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.57501`

.reloc

MD5	`7223f3255890538860641b7380927c24`
SHA1	`8a91110e124f4ee2a5bea209c718ea396e730789`
SHA256	`bd6d042e83530ffc59fde705c805f73b1ed66247472a1c4d6af1f9eee94a1fd2`
SHA3	`13d251c57aa211e33e8601b07b8c6bec3fa0e72002e2bd64fed1824164c1f796`
VirtualSize	`0xc`
VirtualAddress	`0x3e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x39400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.10191`

Imports

mscoree.dll	`_CorExeMain`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2c4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.16889`
MD5	`89d7894ab09079ef23ce62c7e35779a8`
SHA1	`35da6de5df32890fc421a47b9853b8442fe410ba`
SHA256	`e4a39f24f77bee2f6b85a3e5ef1cf55635a40e0fe0f1ba3efcc0e53e14376b04`
SHA3	`fb480e67047128e89747a7f8acfbffa8be3ae367c07b4923ed8564bb9372d643`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.00112`
MD5	`b7db84991f23a680df8e95af8946f9c9`
SHA1	`cac699787884fb993ced8d7dc47b7c522c7bc734`
SHA256	`539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a`
SHA3	`4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
Comments	Payload for Umbral Stealer
FileVersion (#2)	1.0.0.0
ProductVersion (#2)	1.0.0.0
Assembly Version	1.0.0.0

Resource LangID	UNKNOWN

UNKNOWN

Characteristics	`0`
TimeDateStamp	1970-Jan-01 00:00:00
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0x38c40`

TLS Callbacks

Load Configuration

RICH Header

946fcfcbfd3fb51a3b3c74b7f81f2b55

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors