Manalyze report for 9ecdc9ed1bea6c226f92d740d43400b9

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Nov-03 15:10:14
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with Themida	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .imports` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot`
Suspicious	The PE contains functions most legitimate programs don't use.	`Possibly launches other programs: ShellExecuteA` `Leverages the raw socket API to access the Internet: getsockopt` `Reads the contents of the clipboard: GetClipboardData`
Malicious	VirusTotal score: 54/74 (Scanned on 2024-06-28 09:12:01)	`ALYac: Gen:Variant.Mikey.162607` `APEX: Malicious` `AVG: Win64:MalwareX-gen [Trj]` `AhnLab-V3: Trojan/Win.Generic.C5559431` `Antiy-AVL: Trojan[Packed]/Win64.Themida` `Arcabit: Trojan.Mikey.D27B2F` `Avast: Win64:MalwareX-gen [Trj]` `Avira: TR/CoinMiner.wonhj` `BitDefender: Gen:Variant.Mikey.162607` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_100% (W)` `Cybereason: malicious.d1bea6` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/Packed.Themida.L suspicious` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Mikey.162607 (B)` `F-Secure: Trojan.TR/CoinMiner.wonhj` `FireEye: Generic.mg.9ecdc9ed1bea6c22` `Fortinet: Riskware/Application` `GData: Gen:Variant.Mikey.162607` `Google: Detected` `Gridinsoft: Trojan.Heur!.03210023` `Ikarus: PUA.Themida` `K7AntiVirus: Trojan ( 0057a5231 )` `K7GW: Trojan ( 0057a5231 )` `Lionic: Trojan.Win32.Themida.4!c` `MAX: malware (ai score=87)` `Malwarebytes: Malware.AI.4093198989` `MaxSecure: Trojan.Malware.219104223.susgen` `McAfee: Artemis!9ECDC9ED1BEA` `McAfeeD: Real Protect-LS!9ECDC9ED1BEA` `MicroWorld-eScan: Gen:Variant.Mikey.162607` `Microsoft: Trojan:Win32/CoinMiner.A` `Paloalto: generic.ml` `Panda: Trj/Chgt.AD` `Rising: Trojan.ScarletFlash!8.FB27 (CLOUD)` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Generic.rc` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score` `TrendMicro: TROJ_GEN.R002C0DC424` `TrendMicro-HouseCall: TROJ_GEN.R002C0DC424` `VIPRE: Gen:Variant.Mikey.162607` `Varist: W64/Trojan.GKA.gen!Eldorado` `VirIT: Trojan.Win64.Agent.CHJA` `Webroot: W32.Trojan.Gen` `Xcitium: ApplicUnwnt@#15ij81vyoo2q3` `Yandex: Riskware.Themida!O6eVvGVSD9g` `Zillya: Trojan.Themida.Win64.9396` `alibabacloud: Trojan:Win/Packed.Themida.L`

Hashes

MD5	`9ecdc9ed1bea6c226f92d740d43400b9`
SHA1	`b5b5066cd4284733d8c3f3d7de3ca6653091ae10`
SHA256	`60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c`
SHA3	`d6a9a2feea240bf91f35e8c23224d180615b5cde788387dfe95fee475a5ef17d`
SSDeep	`98304:vnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUPj:PTn2qcUzp6UYeJRCxPj`
Imports Hash	`aa8187ac188fef5b00d3df8ca8d83f06`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`12`
TimeDateStamp	2023-Nov-03 15:10:14
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xc1600`
SizeOfInitializedData	`0x91e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000736058 (Section: .boot)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xa9f000`
SizeOfHeaders	`0x400`
Checksum	`0x4196bd`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`66cc913bed581687efc2e3a777e5713c`
SHA1	`608dcd977c15a5391b5ce75065f3a6221a65aa3d`
SHA256	`bee9941113d8f53b9bb3ce121f08216fdabb026834f73dea87230274414ee8cd`
SHA3	`77732fc83fb383e1a728ab74f3b09184819d8a334a0f238fbe3ebd0af2469e54`
VirtualSize	`0xc1430`
VirtualAddress	`0x1000`
SizeOfRawData	`0x62529`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.98204`

(#2)

MD5	`465ea47810927552949a967d8e7427b7`
SHA1	`956259657d8ca400abf775b0d24ea73eee7a095b`
SHA256	`48a7204240931943a801ac3e2f8e40b887722940804e8f83b1770d35c7abf264`
SHA3	`e6f33cc520faf7b7f116ab1c469d2d9017c7ccca5bd6a04c4432acf7c0b9677a`
VirtualSize	`0x28808`
VirtualAddress	`0xc3000`
SizeOfRawData	`0x1126e`
PointerToRawData	`0x62a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.97561`

(#3)

MD5	`098e9325c42424a0b8a1a5c447bb7168`
SHA1	`44b092aab0162a9acf54aa0aebd1d22d967c3a6d`
SHA256	`60922c288ed300a26f7406894d90c4cd5e5b7b9ff59190c761e736cbce958d9b`
SHA3	`e91279e7f45bb7a101d97b576cf509f8a23f074ce8c3ee129f63f89c17b46af7`
VirtualSize	`0x60b00`
VirtualAddress	`0xec000`
SizeOfRawData	`0x30013`
PointerToRawData	`0x73e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97776`

(#4)

MD5	`5e4808dc5be7fa1c2bb50e3cdf5241fa`
SHA1	`b90942aa9ff65eaced865ce94465814e5d0d1d09`
SHA256	`fdd8b9b9c72c0a812a4e47dfd9274788fbde621199aae5aceca460da476748a1`
SHA3	`6b6a236929c7083428413a955a8dee7e0c34075f506dc1d338682fbe60d30850`
VirtualSize	`0x7d1c`
VirtualAddress	`0x14d000`
SizeOfRawData	`0x49ef`
PointerToRawData	`0xa4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.65997`

(#5)

MD5	`50dc911238d80d782624028acb9bf824`
SHA1	`0dbb76bf3a4439053273dcf4d35c4fa2b87570cb`
SHA256	`db8670832e9deb7732f068c54a1857adcf7b61e0c5bf606fb9bbc935d24b97d9`
SHA3	`11b0c1eadf19d69c1ef1c23901c0a42981127b8dd1ba5149bc990a15f84a506a`
VirtualSize	`0x1e0`
VirtualAddress	`0x155000`
SizeOfRawData	`0x10b`
PointerToRawData	`0xa8a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.16054`

(#6)

MD5	`921f97fd868e93fafd2dc7bd6056c075`
SHA1	`8c3e9f4eaa042f1439315978187ccee2734e18cf`
SHA256	`b6390cb3e482fb0fe9aaa3a99454971611fd65cc79a803800df82a63166a6fe8`
SHA3	`1d3066934fa92cf2663ab72b4e397e752e1aa0daf3c13e5b9513a7cdde449b5c`
VirtualSize	`0x7a8`
VirtualAddress	`0x156000`
SizeOfRawData	`0x507`
PointerToRawData	`0xa8c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.64401`

.imports

MD5	`332c4ef57d92699bd01be7dd63111167`
SHA1	`780b5e4b10e94cff1f5a01bf841e72b8321851d2`
SHA256	`b3e6ce50e78f581b3ff88c6e379549f1ffdc1c6c2072d8bc13bfd45422a692e6`
SHA3	`ce1785fcb13e7359a9d9d2f4221210199d1e280fa94235671fde6eb0266c26b8`
VirtualSize	`0x1000`
VirtualAddress	`0x157000`
SizeOfRawData	`0xa00`
PointerToRawData	`0xa9200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.7701`

.tls

MD5	`2b5b3520911f87fee6e1f9d7204da34d`
SHA1	`7b385c5944c5e84a84a0437f19e79e28cb45b96a`
SHA256	`e1ab5eb58f25853d88117c9dbb17dc2f78a99149c02f0d9fa50ff024322021ee`
SHA3	`9cc1a52ff5048f933849a856ab90780cee0fbcd57b403fd8fb262e3663f8e23c`
VirtualSize	`0x1000`
VirtualAddress	`0x158000`
SizeOfRawData	`0x200`
PointerToRawData	`0xa9c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.271892`

.rsrc

MD5	`8ce83da8f9828005fc5503c2dd5d2c70`
SHA1	`ed40ac8a008d3d7cdaf96248a0ce2ef8e8696691`
SHA256	`15afd4aa8b49758927b1ed78c27cb30d75ba29b447a8bf62f33a227109ac0a73`
SHA3	`b5d5dc6c4f23d446d172b8226bdc0222bd64b87c43c3e9879a51d799d1405717`
VirtualSize	`0x1000`
VirtualAddress	`0x159000`
SizeOfRawData	`0x200`
PointerToRawData	`0xa9e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71768`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5dc000`
VirtualAddress	`0x15a000`
SizeOfRawData	`0`
PointerToRawData	`0xaa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`b52bb3e0e7a8964d76d281c47564049c`
SHA1	`583e812d236163aa2fe7cb1fcaafd72e5065c690`
SHA256	`38626cca07a6b9a07fd97fb55d47bd7d3c3bc256c35030fc70d689fcdd77019c`
SHA3	`8adec1db70c7145cedaf423ea4e397b5a7f554ff3f27c8915aa9a4e16d55a808`
VirtualSize	`0x367800`
VirtualAddress	`0x736000`
SizeOfRawData	`0x367800`
PointerToRawData	`0xaa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.9602`

.reloc

MD5	`7e6e987ed4eb5b6f639f8f1b1048167f`
SHA1	`5f567ad689d4036f409bf5795470f3522b1690be`
SHA256	`7b8145a9dbf32606544fdfdd9b341065e267cad98e087f7a36d641570e24f376`
SHA3	`39928757d3625cc92430dc3ee15fcb35c2460d08729c977607712da22c99bafe`
VirtualSize	`0x1000`
VirtualAddress	`0xa9e000`
SizeOfRawData	`0x10`
PointerToRawData	`0x411800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.4746`

Imports

kernel32.dll	`GetModuleHandleA`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
USER32.dll	`GetClipboardData`
ADVAPI32.dll	`AddAccessAllowedAce`
SHELL32.dll	`ShellExecuteA`
MSVCP140.dll	`??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z`
IMM32.dll	`ImmGetContext`
D3DCOMPILER_47.dll	`D3DCompile`
dwmapi.dll	`DwmExtendFrameIntoClientArea`
Normaliz.dll	`IdnToAscii`
WLDAP32.dll	`#301`
CRYPT32.dll	`CertGetCertificateChain`
WS2_32.dll	`getsockopt`
RPCRT4.dll	`UuidToStringA`
PSAPI.DLL	`GetModuleInformation`
USERENV.dll	`UnloadUserProfile`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`__current_exception`
api-ms-win-crt-runtime-l1-1-0.dll	`_configure_narrow_argv`
api-ms-win-crt-stdio-l1-1-0.dll	`fclose`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-string-l1-1-0.dll	`strspn`
api-ms-win-crt-heap-l1-1-0.dll	`malloc`
api-ms-win-crt-convert-l1-1-0.dll	`strtoul`
api-ms-win-crt-math-l1-1-0.dll	`cosf`
api-ms-win-crt-time-l1-1-0.dll	`_gmtime64`
api-ms-win-crt-filesystem-l1-1-0.dll	`_unlink`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-environment-l1-1-0.dll	`getenv`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x1062bd07`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`22`
C++ objects (VS 2015-2022 runtime 32533)	`2`
253 (32420)	`8`
C objects (32420)	`10`
ASM objects (32420)	`4`
C++ objects (32420)	`35`
Imports (32420)	`6`
C objects (VS2019 Update 6 (16.6.1-5) compiler 28806)	`105`
C objects (VS2022 Update 3 (17.3.0-3) compiler 31629)	`2`
C++ objects (VS2022 Update 3 (17.3.0-3) compiler 31629)	`2`
Imports (30795)	`35`
Total imports	`464`
C++ objects (LTCG) (32538)	`18`
Resource objects (32538)	`1`
Linker (32538)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .themida has a size of 0!