Manalyze report for 9acd96f2183159f2ed30b70dffbb84562291d366dee7d7c6008599ede3d2b447

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Nov-06 06:54:17
Detected languages	English - United States Process Default Language
TLS Callbacks	1 callback(s) detected.
Debug artifacts	D:\xigncode-neo\_work\xigncode-build\xigncode-build\neo\vsproject\bin\x64\Release\ucldr_x64.pdb
CompanyName	Wellbia.com Co., Ltd.
FileDescription	Wellbia.com Security Loader
FileVersion	`2024.11.6.36`
InternalName	wldr.exe
LegalCopyright	Copyright (C) 2006 - 2018 Wellbia.com Co., Ltd.
OriginalFilename	wldr.exe
ProductName	Wellbia.com Security Loader
ProductVersion	`5.0.0.1`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: taskmgr.exe` `Looks for VirtualPC presence: 0f 3f 07 0b` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: Wellbia.com cacerts.digicert.com crl3.digicert.com crl4.digicert.com digicert.com example.com http://cacerts.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C http://crl3.digicert.com http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 http://crl4.digicert.com http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 http://ocsp.digicert.com0 http://ocsp.digicert.com0A http://ocsp.digicert.com0C http://ocsp.digicert.com0X http://ocsp.digicert.com0\ http://www.digicert.com http://www.digicert.com/CPS0 https://curl.se wellbia.com www.digicert.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to Blowfish` `Microsoft's Cryptography API`
Malicious	The file headers were tampered with.	`Unusual section name found:` `Section is both writable and executable.` `The RICH header checksum is invalid.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: FindWindowW FindWindowA` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptGenRandom CryptReleaseContext CryptAcquireContextA` `Leverages the raw socket API to access the Internet: inet_ntoa WSAStartup gethostbyname`
Malicious	The PE is possibly a dropper.	`Resource 101 is possibly compressed or encrypted.` `Resource 164 detected as a PE Executable.`
Info	The PE is digitally signed.	`Signer: Wellbia.com Co.` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	VirusTotal score: 1/71 (Scanned on 2026-03-26 03:44:10)	`Sangfor: Trojan.Win32.Save.a`

Hashes

MD5	`0cce5f259c15cbf55b11b6d146bb78f8`
SHA1	`f19686778c6f7dfcc8dc29fce9a426e5e2cbae58`
SHA256	`9acd96f2183159f2ed30b70dffbb84562291d366dee7d7c6008599ede3d2b447`
SHA3	`ac3dd4fa63226fef398eec90517133e6e73ea5a15cdda743de89e0aaf4715122`
SSDeep	`196608:t5z7ZTdWNPxCozCiy13SMNuWSFQ2k9hDbySMNuWSFQ2k9hDbo:tnTdWNP8RlNwVkzylNwVkzo`
Imports Hash	`37d0ce23270edf05ed47b1aef31aa53a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2024-Nov-06 06:54:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x35800`
SizeOfInitializedData	`0x566400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000BBCC10 (Section: )`
BaseOfCode	`0xbaf000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xdf0000`
SizeOfHeaders	`0x400`
Checksum	`0x852dde`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0c239c2d42ee7ffc7950215f69ea9768`
SHA1	`629937bb7c8a2c6e235ea84480750f576e1e1db5`
SHA256	`b9c1b875b7ea6436527c19a9cb26978737b9bf4ff8976f22d35e01cae80a3d6d`
SHA3	`8e9b16ddbd395e828c1610bacb069bd3c21548aa2d6ca98ab8c550f41b26b42f`
VirtualSize	`0x11f000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x8ae00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.99968`

.rdata

MD5	`bb1ee71cf89d2037e6575b201d5d84d2`
SHA1	`04a9ded3ba26199de5c4497f32952af2944404d6`
SHA256	`6d04ad542a946308c3fdb64851c27e42a2f3c6ebe6da1e2f2b843291469c3b3e`
SHA3	`f17e5488ee2e3c0b3d5c37dd824a5f815c68d5f061ff991a856d202468f709b0`
VirtualSize	`0x61000`
VirtualAddress	`0x120000`
SizeOfRawData	`0x60e00`
PointerToRawData	`0x8b200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.84642`

.data

MD5	`4e9402bb7d5783f0f6e4eda5ceb298cb`
SHA1	`792cc79536377a81649b65eef81cef7453d4f3e4`
SHA256	`c7c4188942058926f85a6d3ad18b55243cd07c6bac0754de521ad49f5b597dcb`
SHA3	`d5857d4042b4ff9dbe1ca4a625a137af0ee39914b39699ac50e494909d8adc10`
VirtualSize	`0x7000`
VirtualAddress	`0x181000`
SizeOfRawData	`0x2800`
PointerToRawData	`0xec000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.26954`

.pdata

MD5	`1fb87034e43aeb3ef4e3f95e9d0926cd`
SHA1	`7bbd244b3161de8396e2bbedeaacecf881e254fc`
SHA256	`327f413334560e3d94d9e7ebc0d96ed05e35ea6b0a79c1b8ac8c2a7ba52f5f0e`
SHA3	`928dfaf05dba6b22fe00dbddeee6cd27947a5080c0c35c9c4dd8eb04a827a92b`
VirtualSize	`0x502000`
VirtualAddress	`0x188000`
SizeOfRawData	`0xcc00`
PointerToRawData	`0xee800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.10138`

.reloc

MD5	`281496de13e0247009368b83c5e6ddc3`
SHA1	`a07cbd5fed6595695f8d180482899216ab05abe1`
SHA256	`aa90c321f055160d086bf542bf54e04344e102ad39ecfef3897e5f6e25bb73d2`
SHA3	`7b1a2dea086bfe46d65358603e076b4904e366544dc128a0c026ad9347848d67`
VirtualSize	`0x6000`
VirtualAddress	`0x68a000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0xfb400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.82066`

.rsrc

MD5	`714e897273da177224536429a85e9804`
SHA1	`018c7a974c0eb213e783ad016840f1b828ca16ba`
SHA256	`a84d3a310d3eefac971105b4aa055cbbf1e2541c41cc2bfd03b76f68f2e129b5`
SHA3	`aa00a131fef7b5d2fc8389f21be6c23f1250a48dbcc377e2975a3bc2a907788f`
VirtualSize	`0x500000`
VirtualAddress	`0x690000`
SizeOfRawData	`0x4f4400`
PointerToRawData	`0xfd200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.7646`

Section_7

MD5	`77b8937113c79238d146f6f848608061`
SHA1	`aab1b67d4d9fff2caeea85f926ac19a6a6e68992`
SHA256	`902bccb67d6a818672324a5926512592ae3b8537a0c04e6591eaf26371c6b819`
SHA3	`af833be1728468ef1f0c65030e4d599ee6ceeb7e5d6269ad63d3cb634a7b4f77`
VirtualSize	`0x260000`
VirtualAddress	`0xb90000`
SizeOfRawData	`0x25be00`
PointerToRawData	`0x5f1600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.53585`

Imports

KERNEL32.DLL	`CreateThread` `CreateProcessW` `QueryPerformanceCounter` `CreateMutexW` `CreateEventA` `CreateFileA` `CloseHandle` `WideCharToMultiByte` `FindClose` `FindFirstFileW` `SetFilePointer` `FindNextFileA` `FindNextFileW` `CreateMutexA` `WaitForSingleObject` `FindFirstFileA` `GetTickCount` `CreateThread` `ReadFile` `WriteFile`
USER32.DLL	`RegisterClassA` `GetMessageA` `DispatchMessageA` `DispatchMessageW` `SetWindowsHookExA` `FindWindowW` `DefWindowProcW` `FindWindowA` `CharNextExA` `SendMessageW` `SetTimer` `EnumWindows` `UnregisterClassW` `UnregisterClassA` `KillTimer` `GetMessageW` `RegisterClassW` `TranslateMessage` `SendMessageA` `SetWindowsHookExW`
GDI32.DLL	`ResetDCW` `GetStockObject`
ADVAPI32.dll	`SetEntriesInAclW` `CryptGenRandom` `CryptReleaseContext` `CryptAcquireContextA` `AllocateAndInitializeSid` `FreeSid` `SetSecurityDescriptorDacl`
WLDAP32.dll	`#143` `#217` `#46` `#211`
WS2_32.dll	`inet_ntoa` `WSAStartup` `gethostbyname`

Delayed Imports

101

Type	`BINS`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x3cc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.7408`
MD5	`36c5680e23ca5b92fc64c8fd2aa34175`
SHA1	`4c854e5330abf2a79e9202a050dbccf7cf95cd13`
SHA256	`84645920e5ee307e41a6ddd69ed6739624636dec242178178f88045db4d56848`
SHA3	`054c8979eb5c247341bb51e72ef80bd5c77fab976a1bac950487154fcc048a86`

132

Type	`BINS`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x2000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.56177`
MD5	`ec0bdc2fcb2c7396c181cba0f91981b3`
SHA1	`e9f5e9b45090f84aef3c373b97cf9651122096b8`
SHA256	`275e93b6de87728c34db83610f95fee5021e6a5a8b9a21068ae5f391dd6bd619`
SHA3	`9199f0f61e13ff2421760797068c88e4a6db99817a9bf33f5a5ec00c2b0c95f0`

164

Type	`BINS`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x4ef320`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.77181`
Detected Filetype	PE Executable
MD5	`9a13c4ccab9ce25869f4391750543c7f`
SHA1	`b8978ea1abf992d35b79c43ffa388819414d2904`
SHA256	`5adda4fa5f043b0398b27528bbb0ac317f0abe569906a554728eda8414a13664`
SHA3	`df70ab6e7aa6164353f42bc4b653b6e0c065c9bd473e5fdbcf61eac7a92c4e3f`

165

Type	`BINS`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x2000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.56177`
MD5	`ec0bdc2fcb2c7396c181cba0f91981b3`
SHA1	`e9f5e9b45090f84aef3c373b97cf9651122096b8`
SHA256	`275e93b6de87728c34db83610f95fee5021e6a5a8b9a21068ae5f391dd6bd619`
SHA3	`9199f0f61e13ff2421760797068c88e4a6db99817a9bf33f5a5ec00c2b0c95f0`

1

Type	`RT_ICON`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.0652`
MD5	`7f8a87cbcabb895e088cc59666df9480`
SHA1	`c1470114cc7db0f4d982c05841b0f5d6d6346796`
SHA256	`c5960d7a7f72988e2683db42e392e733aeb2433f29f8f46aeb9189259d9eac8e`
SHA3	`6eae4118053197c19cc04904b8e0cc052a6a0217e486c72938031cfd2602ef1a`

178

Type	`RT_GROUP_ICON`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`1baa0fc65d0e8b2644ba42421588f013`
SHA1	`a140a81349bba65ced301c54a5293c783321c46b`
SHA256	`6ab3af43b37c7daa4ae86afb4fc61d4a7444d305c03021f2e91f793b460d0cdf`
SHA3	`68d6debacf74501dc19fd345cac4608cd4797019b85b8980f8a475cd5abc7625`

1 (#2)

Type	`RT_VERSION`
Language	Process Default Language
Codepage	Latin 1 / Western European
Size	`0x344`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.46963`
MD5	`2b434a264eb936d81c73711a2794bed5`
SHA1	`b37433f7581f40bb62cef700eff34abc9a9d9148`
SHA256	`34d98b95ab56bd30ef0c8e9d995c8e369f27752e275ff979508f8bf494e63bf9`
SHA3	`0ec6ac371edead29884065e839aaefc77c04246ebca0b4f6c619d43566a4ce7f`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2024.11.6.36
ProductVersion	5.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Process Default Language
CompanyName	Wellbia.com Co., Ltd.
FileDescription	Wellbia.com Security Loader
FileVersion (#2)	2024.11.6.36
InternalName	wldr.exe
LegalCopyright	Copyright (C) 2006 - 2018 Wellbia.com Co., Ltd.
OriginalFilename	wldr.exe
ProductName	Wellbia.com Security Loader
ProductVersion (#2)	5.0.0.1

Resource LangID	Process Default Language

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Nov-06 06:54:17
Version	`0.0`
SizeofData	`120`
AddressOfRawData	`0xba4a14`
PointerToRawData	`0x606014`
Referenced File	D:\xigncode-neo\_work\xigncode-build\xigncode-build\neo\vsproject\bin\x64\Release\ucldr_x64.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2024-Nov-06 06:54:17
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0xba5a14`
PointerToRawData	`0x607014`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Nov-06 06:54:17
Version	`0.0`
SizeofData	`928`
AddressOfRawData	`0xba6a14`
PointerToRawData	`0x608014`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2024-Nov-06 06:54:17
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x14016c1b0`
EndAddressOfRawData	`0x14016c1b8`
AddressOfIndex	`0x1401867ac`
AddressOfCallbacks	`0x140b90010`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`0x0000000140BBCD20`

Load Configuration

Size	`0x100`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140181170`

RICH Header

XOR Key	`0xd974e7d6`
Unmarked objects	`0`
241 (40116)	`14`
243 (40116)	`174`
242 (40116)	`27`
ASM objects (27051)	`1`
199 (41118)	`8`
ASM objects (VS 2015/2017 runtime 26706)	`9`
C++ objects (VS 2015/2017 runtime 26706)	`63`
C objects (VS 2015/2017 runtime 26706)	`35`
Imports (VS2008 SP1 build 30729)	`15`
Total imports	`311`
C objects (27045)	`132`
C objects (27051)	`59`
C++ objects (LTCG) (27051)	`61`
Resource objects (27051)	`1`
151	`1`
Linker (27051)	`1`

Errors

Leave a comment

No comments yet.