95bfcf0c4a4e9f1ba62437a9c52d07c7

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2024-Oct-26 19:53:35
Detected languages English - United States

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .dta0
Unusual section name found: .dta1
Unusual section name found: .dta2
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Possibly launches other programs:
  • ShellExecuteA
 Has Internet access capabilities:
  • InternetReadFile
 Leverages the raw socket API to access the Internet:
  • sendto
Malicious VirusTotal score: 40/72 (Scanned on 2024-11-02 07:06:18) APEX: Malicious
AVG: Win64:MalwareX-gen [Trj]
Alibaba: Packed:Win64/VMProtect.89e0e46b
Antiy-AVL: Trojan[Packed]/Win64.VMProtect
Avast: Win64:MalwareX-gen [Trj]
Avira: TR/Agent.xhhuw
Bkav: W64.AIDetectMalware
CTX: exe.trojan.vmprotect
CrowdStrike: win/malicious_confidence_90% (D)
Cylance: Unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
ESET-NOD32: a variant of Win64/Packed.VMProtect.J suspicious
Elastic: malicious (high confidence)
F-Secure: Trojan.TR/Agent.xhhuw
FireEye: Generic.mg.95bfcf0c4a4e9f1b
Fortinet: Riskware/Application
GData: Win64.Application.Agent.97NRUP
Google: Detected
Gridinsoft: Trojan.Heur!.02292023
Ikarus: PUA.VMProtect
K7AntiVirus: Trojan ( 0058c4fb1 )
K7GW: Trojan ( 0058c4fb1 )
Kaspersky: Trojan.Win64.Agent.qwmjmn
Kingsoft: Win32.Trojan.Generic.a
Lionic: Trojan.Win32.VMProtect.4!c
Malwarebytes: VMProtect.Trojan.MalPack.DDS
MaxSecure: Trojan.Malware.300983.susgen
McAfee: Artemis!95BFCF0C4A4E
McAfeeD: Real Protect-LS!95BFCF0C4A4E
Microsoft: Program:Win32/Wacapew.C!ml
Paloalto: generic.ml
Rising: Trojan.Kryptik@AI.84 (RDML:T416+QThLZjpmFwdZwAXvg)
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win64.Downloader.tc
Sophos: Mal/Generic-S
Symantec: ML.Attribute.HighConfidence
Tencent: Win64.Trojan.Agent.Najl
alibabacloud: Trojan:Win/Packed.VMProtect.J
tehtris: Generic.Malware

Hashes

MD5 95bfcf0c4a4e9f1ba62437a9c52d07c7
SHA1 56ae349787231f477f635225b39390044087e344
SHA256 89b92040c7895e23cbe7c72706ff1b3442e9c666202a84f7917df13cfd985e34
SHA3 6d20568070172e4edf74f192c1c37e5becf3817ebad74856506c4549f67a587f
SSDeep 98304:CXfrFNgTp2f7UtjaK+WN3ije7taLJRANXx2bSGRwpN+PO4:CXfngTMfsjaKjyjISJRlblm+b
Imports Hash 094c35152a6d81651f1f5113d3b0b705

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 9
TimeDateStamp 2024-Oct-26 19:53:35
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xb6400
SizeOfInitializedData 0x3aa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000004DC38A (Section: .dta2)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0xa49000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xb6340
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x2eb84
VirtualAddress 0xb8000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x3900
VirtualAddress 0xe7000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x75b4
VirtualAddress 0xeb000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.dta0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x3940fd
VirtualAddress 0xf3000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.dta1

MD5 a5050253cd3f660ff534530a9c3fbeb1
SHA1 1681b65c0071453c35a918ebae20b97ac6c43b7e
SHA256 903b9bb16b6f0e1924667e3c76b479a88b2a6c4af9ffe3b21107eafe666982d6
SHA3 e6e226bc84ed2c9a113f807cece916f6e51c6ad0adc7bad15a05690976ea7bcf
VirtualSize 0x1240
VirtualAddress 0x488000
SizeOfRawData 0x1400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.244184

.dta2

MD5 5a2367d9f587bc9df29946293417928b
SHA1 e85a653a65065e3c4fb8be03f72044999874499d
SHA256 0b48a73b1ba22f0cdf77777289f6d488de733411617d62472dea5672bfd9401b
SHA3 eb4f924156d65f947e687129ab3c290c08062825f6d4ea3a62b270d335b4464c
VirtualSize 0x5bc950
VirtualAddress 0x48a000
SizeOfRawData 0x5bca00
PointerToRawData 0x1800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 7.90791

.reloc

MD5 45fd62762f1098f9c037bb5481085eff
SHA1 33d5be53a444535db6ba213875b7f2b1a73aa9bb
SHA256 5ff1c9ea5f393b841c4e4c21d782dbf19781b26a1358f2e075a00ffcec4859b2
SHA3 4fb07d50d236dabed1c58b534307178fa5f425dfe242a0fe1f2429ea9576786a
VirtualSize 0xd8
VirtualAddress 0xa47000
SizeOfRawData 0x200
PointerToRawData 0x5be200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.1042

.rsrc

MD5 57b9dfd79c183308a163cd929969fcbb
SHA1 0e36d50f9d6000db8ab2151a50876bc6dd66ba37
SHA256 1b5a8907aed8bff2d1f7b3344040693a4c65738ad675acdca0d6ed6c26f04763
SHA3 1764742bf1ac8adfed0ec03a4f64f3d9496d242b7558d3e59582af4c4c6107d9
VirtualSize 0x1e0
VirtualAddress 0xa48000
SizeOfRawData 0x200
PointerToRawData 0x5be400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.76666

Imports

KERNEL32.dll GetModuleHandleW
USER32.dll MessageBoxA
ADVAPI32.dll SystemFunction036
SHELL32.dll ShellExecuteA
MSVCP140.dll ?good@ios_base@std@@QEBA_NXZ
WININET.dll InternetReadFile
CRYPT32.dll CertFreeCertificateChain
WS2_32.dll sendto
PSAPI.DLL GetModuleInformation
USERENV.dll UnloadUserProfile
bcrypt.dll BCryptGenRandom
VCRUNTIME140_1.dll __CxxFrameHandler4
VCRUNTIME140.dll __current_exception_context
api-ms-win-crt-runtime-l1-1-0.dll _initialize_narrow_environment
api-ms-win-crt-stdio-l1-1-0.dll feof
api-ms-win-crt-heap-l1-1-0.dll _callnewh
api-ms-win-crt-filesystem-l1-1-0.dll _wstat64
api-ms-win-crt-utility-l1-1-0.dll qsort
api-ms-win-crt-math-l1-1-0.dll _fdopen
api-ms-win-crt-time-l1-1-0.dll strftime
api-ms-win-crt-convert-l1-1-0.dll strtod
api-ms-win-crt-locale-l1-1-0.dll localeconv
api-ms-win-crt-string-l1-1-0.dll strcspn
KERNEL32.dll (#2) GetModuleHandleW
USER32.dll (#2) MessageBoxA
KERNEL32.dll (#3) GetModuleHandleW

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89623
MD5 b8e76ddb52d0eb41e972599ff3ca431b
SHA1 fc12d7ad112ddabfcd8f82f290d84e637a4d62f8
SHA256 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
SHA3 37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd

Version Info

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1400e7f00

RICH Header

Errors

[!] Error: Could not read the exported DLL name. [!] Error: Could not reach the TLS callback table. [*] Warning: Section .text has a size of 0! [*] Warning: Section .rdata has a size of 0! [*] Warning: Section .data has a size of 0! [*] Warning: Section .pdata has a size of 0! [*] Warning: Section .dta0 has a size of 0!