Manalyze report for a2cb74336253723bbf204166fb27c2d8

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	2 callback(s) detected.

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Malicious	VirusTotal score: 18/70 (Scanned on 2021-05-04 15:23:52)	`Elastic: malicious (high confidence)` `Cybereason: malicious.362537` `ESET-NOD32: a variant of Win64/Riskware.CobaltStrike.Artifact.Q` `APEX: Malicious` `Kaspersky: HEUR:Backdoor.Win64.Agent.gen` `Avast: Win64:Malware-gen` `McAfee-GW-Edition: BehavesLike.Win64.Generic.dc` `FireEye: Generic.mg.a2cb74336253723b` `Sophos: ML/PE-A + ATK/Cobalt-A` `Jiangmin: Backdoor.Agent.jkq` `Avira: HEUR/AGEN.1142068` `Microsoft: Trojan:Win32/Wacatac.B!ml` `ZoneAlarm: HEUR:Backdoor.Win64.Agent.gen` `Cynet: Malicious (score: 100)` `Rising: HackTool.CobaltStrike!8.1216E (TFE:5:iofOiGKTS0S)` `eGambit: Unsafe.AI_Score_74%` `AVG: Win64:Malware-gen` `CrowdStrike: win/malicious_confidence_70% (D)`

Hashes

MD5	`a2cb74336253723bbf204166fb27c2d8`
SHA1	`a183485eb01b89645c776d6062633d6a573a34d7`
SHA256	`90ca2a778b4cf8f0200102ab9fc65e41e862e11d9c94b927e0db80bd34229ec5`
SHA3	`89d5c76f5bd3324e1037a855fc9f67be3a8d0fa673d6c190cfbe0dc43acb03fa`
SSDeep	`6144:yHHIQfEl5Pvzw+FwkgW1UHnx54H9pbduYAcAa9SaT/NHE2:1BLwARH1UHfYykNk`
Imports Hash	`0f6557118b99fe3553d5fb1e5a6c808e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x1e00`
SizeOfInitializedData	`0x45e00`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x00000000000014C0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x4d000`
SizeOfHeaders	`0x400`
Checksum	`0x4fada`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`9c043410d14d11fe8be86e6b9362eb77`
SHA1	`47c5da725c901ec2d85f7f635ee68845c3048920`
SHA256	`7694db48baa03a1ae051c33413c84c44819db5a6efa386ca53d73d47af60ba43`
SHA3	`7afb040d9a81dd48f3102e931ef5f7658599e6caeb9e92b9c95dfb78b9df63b2`
VirtualSize	`0x1d18`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.00489`

.data

MD5	`38abe533ef31075ddaa082da407a880c`
SHA1	`d220371056f2f6889bd7d1659128eab71fa4edbb`
SHA256	`248d78515852f4d19fc8635019bb391c8e4e200ce3c2ad1e7e9c93c117d0ed26`
SHA3	`fb8eab5af8f3d2f167245979a0d0f5f53c7bfca2b3dbb31cdb8cf2864d1650fd`
VirtualSize	`0x424c0`
VirtualAddress	`0x3000`
SizeOfRawData	`0x42600`
PointerToRawData	`0x2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.30355`

.rdata

MD5	`c6db8e6cb057a1c722327685d8e1156e`
SHA1	`1f969cedbebf5f6d2dddccd4a00067bb18f5d0b0`
SHA256	`086b7840e40d13ef5a809de0e2a162d878e7f849110db45cf52fc6bce18f7f37`
SHA3	`9c14153580901696becce38e3c797d777c474396a88d818f221c927b927ecdcb`
VirtualSize	`0x8e0`
VirtualAddress	`0x46000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x44800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.22921`

.pdata

MD5	`6918a289cc7c3f03693aa2cf3224f5ef`
SHA1	`31fb73b991a7a44f10f2104536478c652d8e0832`
SHA256	`b6ab1e69670cf0a2a0a0b427f63414c52f002934eebe1d7825300f0b8a2b01ea`
SHA3	`aadf5b8ab2bd750c62a7021d8ddd5edbba66ac13ae43d04c5b18834c7b2384cd`
VirtualSize	`0x258`
VirtualAddress	`0x47000`
SizeOfRawData	`0x400`
PointerToRawData	`0x45200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.81815`

.xdata

MD5	`6be638f0e67431e5d71422a542a6cceb`
SHA1	`ad218629264e1522cea5a40ff5724bc05681118c`
SHA256	`2a5cda03b5bdd91a63ea0bfc146ffd51ef55e892721f4d39c6abe20960a6b38f`
SHA3	`fbdac13b6ee66f52538aa1a0dd46f1f88046dec9e950c5d79b823ce13117c312`
VirtualSize	`0x1bc`
VirtualAddress	`0x48000`
SizeOfRawData	`0x200`
PointerToRawData	`0x45600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.46936`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1a0`
VirtualAddress	`0x49000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`3cf1e5215c4657f629d0b83f1ca8161b`
SHA1	`d8efd25687be34545ad1a2bb60a5141c96781d81`
SHA256	`e8dc8c437af116bf5f766520da08ed94fed39e79a147633493a009deeb25ee44`
SHA3	`186565d5b86f32ddb283c232dd27e94b8af04e7c2bdfbc4415b460f066784e84`
VirtualSize	`0x5e8`
VirtualAddress	`0x4a000`
SizeOfRawData	`0x600`
PointerToRawData	`0x45800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.15307`

.CRT

MD5	`c67b142e3125f1a21d323089150a9cb8`
SHA1	`5202608d0021f23f14241c8c0c229d125f5eb6bd`
SHA256	`3177529d3344e605f644dbde0931f1abbfbb3ecfbde080b8c3000bc4ecd4662e`
SHA3	`ecab7698baea802f4e78a59928ed1a4d649af8cd4ca2d2aeb42d9bd8dc8ac683`
VirtualSize	`0x68`
VirtualAddress	`0x4b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x45e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.253738`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x4c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x46000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

Imports

KERNEL32.dll	`DeleteCriticalSection` `EnterCriticalSection` `GetCurrentProcess` `GetLastError` `GetModuleHandleA` `GetProcAddress` `GetStartupInfoA` `InitializeCriticalSection` `LeaveCriticalSection` `SetUnhandledExceptionFilter` `Sleep` `TlsGetValue` `VirtualProtect` `VirtualQuery`
msvcrt.dll	`__C_specific_handler` `__getmainargs` `__initenv` `__iob_func` `__lconv_init` `__set_app_type` `__setusermatherr` `_acmdln` `_amsg_exit` `_cexit` `_commode` `_fmode` `_initterm` `_onexit` `abort` `calloc` `exit` `fprintf` `free` `fwrite` `malloc` `memcpy` `signal` `strlen` `strncmp` `vfprintf`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x44c000`
EndAddressOfRawData	`0x44c008`
AddressOfIndex	`0x44909c`
AddressOfCallbacks	`0x44b040`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000000401C40` `0x0000000000401C10`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!