Manalyze report for 9d847ce73c7b1392348732f66790dc28

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Aug-01 04:39:37

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryA GetProcAddress` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`12794608 bytes of data starting at offset 0x53c00.` `The overlay data has an entropy of 7.99843 and is possibly compressed or encrypted.` `Overlay data amounts for 97.3889% of the executable.`
Malicious	VirusTotal score: 31/74 (Scanned on 2024-07-14 17:48:43)	`AVG: FileRepMalware [Misc]` `AhnLab-V3: Trojan/Win.Agent.C5648656` `Alibaba: TrojanPSW:Win32/Almi_LaZagne.a` `Antiy-AVL: HackTool/Python.Doser` `Avast: FileRepMalware [Misc]` `Avira: TR/Agent.jjmxv` `Bkav: W64.AIDetectMalware` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Python/HackTool.DoSer.M` `F-Secure: Trojan.TR/Agent.jjmxv` `Fortinet: W32/DoSer.M!tr` `Google: Detected` `K7AntiVirus: Trojan ( 005b10021 )` `K7GW: Trojan ( 005b10021 )` `Lionic: Trojan.Win32.Bitmin.tsev` `Malwarebytes: Agent.Spyware.Stealer.DDS` `McAfee: Artemis!9D847CE73C7B` `McAfeeD: ti!5A000DFADC58` `Microsoft: HackTool:Win64/Agent!MTB` `Paloalto: generic.ml` `Sangfor: Hacktool.Win32.Doser.V5ae` `Skyhigh: BehavesLike.Win64.TrojanPypykatz.rc` `Sophos: Mal/Generic-S` `Symantec: Trojan.Gen.MBT` `TrendMicro-HouseCall: TROJ_GEN.R002H0AAI24` `Varist: W64/ABApplication.GNXM-0199` `VirIT: Trojan.Win64.Genus.GYZ` `Webroot: W32.Malware.Gen` `Xcitium: Malware@#1s2h15ght67xc` `alibabacloud: HackTool:Python/DoSer.M`

Hashes

MD5	`9d847ce73c7b1392348732f66790dc28`
SHA1	`1c3de96158925d938aabb6b0098f9db260895a3f`
SHA256	`5a000dfadc5854935e75024fc35aeaa461d8f9ac997730310fe19638006745ac`
SHA3	`1141e10c08eb5214a5b4a400ec4d3b4194ae4a134fd66c619da6971b7a1b86a9`
SSDeep	`393216:JU9lz21WCx1InEroXgfEqirRRo5tN3ZWU03xToggqiD+iU4:+C1Vx+ErUswvstN37+gqc93`
Imports Hash	`2cdcfb3a828433ba76b5b41f45519bd9`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2021-Aug-01 04:39:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x23600`
SizeOfInitializedData	`0x30200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000009D04 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x68000`
SizeOfHeaders	`0x400`
Checksum	`0xc96f7e`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`005fa3c431f3d0f1fc815ef603750e9c`
SHA1	`58b99f0cc6c4557ca01e33f434e0b89ac2cb8f95`
SHA256	`2dd1d849123e816979f83f8a8f0687e18fb7d514f92d4a15f0f9f6041e055581`
SHA3	`68684231d5dd8de9e9358722f76e9d8dca13f1297cc42e6300021273e6104903`
VirtualSize	`0x23520`
VirtualAddress	`0x1000`
SizeOfRawData	`0x23600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46951`

.rdata

MD5	`537c9f75e1e0a3ad952dec4473429e14`
SHA1	`d0975974c2f0e376f8a0bf5ed8cc7c2bd2f2ebeb`
SHA256	`f7b6c5393f7e544154e3aae4b996b7f86cba32b0a9b3b3ac76c3d9d962652377`
SHA3	`2b1acb68be0b9db5c8632b90825264496b2345f2975920b14536218ecffbfe5b`
VirtualSize	`0x1147c`
VirtualAddress	`0x25000`
SizeOfRawData	`0x11600`
PointerToRawData	`0x23a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.72647`

.data

MD5	`e72304a9e9f9718bd2a4b7dfcb43ccda`
SHA1	`0cd33090a246c6c05624aa34c04288089026437a`
SHA256	`83d60d72970ebeed49e9801bca3d16983c81404b68869cccd0cff977e8efa04f`
SHA3	`063fcf10e7fd9a0c5ccd068237b7a2b52282a9dfd7183b278ab6b89cabbaa5ab`
VirtualSize	`0x103b8`
VirtualAddress	`0x37000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x35000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.65086`

.pdata

MD5	`15f095e2a81a7269bcf276c3bf00a592`
SHA1	`ee1045d0085ede68043b058f002fa90a70d3d6c1`
SHA256	`700c80c98ba4d377e4c8dc08dbc4d0c9b0bcdd7c6959bda9b4e1e38e2489e40c`
SHA3	`22aa50194643cb5329d0131d7babbb200c5aabc3d153e49bc4a6aae9491012e8`
VirtualSize	`0x1e0c`
VirtualAddress	`0x48000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x35e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.14015`

_RDATA

MD5	`2da00c611f87ac523528ea22d612a913`
SHA1	`06b4700c27cdaa0a9d92af5532c30e5343cf0ac1`
SHA256	`9d97ddd4b5e6b957f8b694faf25046f81970bad2a6630db214d24278e0586293`
SHA3	`85a5472723df4920dd68ceb9952004856c2aa6ec4669cc7e0ced67615c64a216`
VirtualSize	`0xf4`
VirtualAddress	`0x4a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x37e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.9609`

.rsrc

MD5	`228a68f8192d2938fd7546699b7d735d`
SHA1	`47d9b1ae4a274738915b19213639aa05c40b93e8`
SHA256	`6ce74d6a4f00a042526a7bfd2d84139ab5d66542a3a4b0cfb8d9cd4a68d6f1cc`
SHA3	`ab7039c90eaa4e2ff0143dd15b798385814743cc2d93d431019756b72d1cba97`
VirtualSize	`0x1b290`
VirtualAddress	`0x4b000`
SizeOfRawData	`0x1b400`
PointerToRawData	`0x38000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.25061`

.reloc

MD5	`aef3fe5d01c63e9b3a006bad387e1444`
SHA1	`795511433ec8f77e79d39494dea1431263cd7c3b`
SHA256	`ec2a2351388304049a981ea35dae3ac39b1bc53ebcda57c195584f3015935668`
SHA3	`91b07d2964138282f0a33cc3e79ae0ac436e86e8a29d16f8cedaef7213d0a7d4`
VirtualSize	`0x73c`
VirtualAddress	`0x67000`
SizeOfRawData	`0x800`
PointerToRawData	`0x53400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.23369`

Imports

KERNEL32.dll	`GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetTempPathW` `WaitForSingleObject` `Sleep` `GetExitCodeProcess` `CreateProcessW` `FreeLibrary` `LoadLibraryExW` `CloseHandle` `GetCurrentProcess` `LoadLibraryA` `LocalFree` `FormatMessageW` `MultiByteToWideChar` `WideCharToMultiByte` `SetEndOfFile` `GetProcAddress` `GetModuleFileNameW` `SetDllDirectoryW` `GetStartupInfoW` `GetLastError` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `RaiseException` `GetCommandLineA` `ReadFile` `CreateFileW` `GetDriveTypeW` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `RemoveDirectoryW` `FindClose` `FindFirstFileExW` `FindNextFileW` `SetStdHandle` `SetConsoleCtrlHandler` `DeleteFileW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `GetFileAttributesExW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStringTypeW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `HeapReAlloc` `WriteConsoleW`
ADVAPI32.dll	`ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2576`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.93314`
Detected Filetype	PNG graphic file
MD5	`67a3235578e5cd2f36ddc670da0e30a2`
SHA1	`2bef2bcf9d7aee5ffe06ca6c574b668aac836c34`
SHA256	`af1ec0131e4058f973987426b7294e12c81d439933eddfbce8ebe5ca26b64422`
SHA3	`b4190c3bbc3132de6b63209a7a11287d05f3e00250719f632e19d54699734990`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.82326`
MD5	`eca147476bf3ba6e5d7280bd2732cc05`
SHA1	`e95446981dbd8ab3fca936a6bb6c670c1ca711e4`
SHA256	`30681df0e65483dac3ae2323117aeed3ea378f4b0739d95917d2f350672b4577`
SHA3	`eca1f08913f087deb4669b1de8f40939c663bc37c086fa2eb870b6ddbdd6dc81`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.89077`
MD5	`e8a7e690aae7c99e60faf28ac5805de3`
SHA1	`1eeb823f3bf96cee0510de8e4e674413cb4078ca`
SHA256	`f571dd6c458f2b1dd1d58c724a2b8d4ca73a694da82a907a88d4a66115cb54ce`
SHA3	`e221a69a06fe291fe7fcd5dc75c8be562cf849332904b9ef33285addff757f55`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.92889`
MD5	`b5974665e4711bb8a2b074742fc7b915`
SHA1	`d1ebd2bbd2310a1b840777a11665b4084f23edfe`
SHA256	`7f998aac92c64d98edd34ecb880b75353dfc71689b4203ff503df1946a343e2d`
SHA3	`0eb09bdd867d4eb3ca2dad22c6569841f61278934c2033f3251b613cf8a049fa`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.9871`
MD5	`de263470b7a0a47d2c915b24ac3814ac`
SHA1	`92d0abda5186ec234ab24611216f4b9efb326595`
SHA256	`de523ee65d26efcc495c9b7a94960451a6d2297e2b160f6ca859b768ebdb69bf`
SHA3	`83afaeaf9481656a81d6a0b6d4e6e759619b667f36259bc5433a171199d59cae`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.87485`
MD5	`9a80086278cfadda2bc087039be2f658`
SHA1	`91555af80be3c361d0d26e9c8c9314cb6b1f849f`
SHA256	`6d83cdb59298fd8a154bb28f7514012fcc8e63532d3dbe86cce1273cb2066f64`
SHA3	`e660c354c532bd145c1f91100ffa10826f6bf3babe76e58940866e3dbca30d60`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.77685`
Detected Filetype	Icon file
MD5	`5f9810e0ef99397bbc58c96561712340`
SHA1	`e5791122a610302849b639709b1600dae84a8186`
SHA256	`2666ff10b778c511d84828023700c55badbb3544d9f46756cafcd0775ed335fc`
SHA3	`5a8fbab48ebb013c1e0f5161edd5596d23e2dd8eb83f39251ab28718cc882ed2`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5d9`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.27363`
MD5	`344fb14bbdda6fd9a2563b496cd2a32c`
SHA1	`73125f59538df4ca9f8c76f9994074b5863e53f1`
SHA256	`f971155b7f3546022210116780d75af40038ad34956f0e7960aad8c52228296f`
SHA3	`353d2ae1abf1302cbefc49c52b1ad0b82b85fcb034b48973e2ba8cf73dcc82c5`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Aug-01 04:39:37
Version	`0.0`
SizeofData	`656`
AddressOfRawData	`0x33980`
PointerToRawData	`0x32380`

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140037018`

RICH Header

XOR Key	`0x584622d4`
Unmarked objects	`0`
C objects (27412)	`11`
ASM objects (27412)	`7`
C++ objects (27412)	`185`
253 (28518)	`3`
C++ objects (VS 2015/2017/2019 runtime 29913)	`38`
C objects (VS 2015/2017/2019 runtime 29913)	`17`
ASM objects (VS 2015/2017/2019 runtime 29913)	`9`
Imports (27412)	`5`
Total imports	`114`
C objects (VS2019 Update 9 (16.9.4) compiler 29914)	`19`
Linker (VS2019 Update 9 (16.9.4) compiler 29914)	`1`

9d847ce73c7b1392348732f66790dc28

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

0

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors