Manalyze report for a8386896c08f210a7f3aef71b5ba8bff

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2023-Jan-20 18:33:30
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: cs26494.tw1.ru http://cs26494.tw1.ru`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .lol` `Section .lol is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Possibly launches other programs: CreateProcessA` `Uses Microsoft's cryptographic API: CryptAcquireContextW` `Leverages the raw socket API to access the Internet: WSAStartup __WSAFDIsSet closesocket select shutdown WSASocketW getaddrinfo getpeername send socket ntohs connect recv getsockopt freeaddrinfo ioctlsocket getnameinfo setsockopt WSAGetLastError WSACleanup` `Enumerates local disk drives: GetVolumeInformationA`
Malicious	VirusTotal score: 13/70 (Scanned on 2023-01-22 17:18:28)	`FireEye: Generic.mg.a8386896c08f210a` `Cybereason: malicious.a386bb` `Symantec: ML.Attribute.HighConfidence` `Elastic: malicious (high confidence)` `APEX: Malicious` `Sophos: Generic ML PUA (PUA)` `McAfee-GW-Edition: BehavesLike.Win64.Generic.vc` `Ikarus: Trojan.Win64.Agent` `Microsoft: Trojan:Win32/Sabsik.FL.B!ml` `Gridinsoft: Trojan.Heur!.03210023` `Google: Detected` `Acronis: suspicious` `MaxSecure: Trojan.Malware.300983.susgen`

Hashes

MD5	`a8386896c08f210a7f3aef71b5ba8bff`
SHA1	`fa777cda386bbc353c00bc021dd65037a93381d2`
SHA256	`bec57463af4eae76d9f853e9e3908ad2cc35c355ba31a1ec40b149df5fa11fb3`
SHA3	`609ae45db6eb4e19c2aa5f90120c178f28420f05c3d4d4508488398efce2fec2`
SSDeep	`196608:OrzBvfFqFQbPwZbNN0lSDbBQ+Razb/vxU3:OnBvfAFQbPwNHCSmTzTs`
Imports Hash	`f29700ebb783973e255e0be5f81e5e5a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2023-Jan-20 18:33:30
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x67a00`
SizeOfInitializedData	`0x3a4400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000003CC00 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xbd9000`
SizeOfHeaders	`0x400`
Checksum	`0x6594e9`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1b0de277bc565b75b7f8e55f8632db81`
SHA1	`e1c14dd3b30cd1d390a8c3471158269acc23721c`
SHA256	`f24d06142ca229b43482bc6ca2f5024ac2a39d8eeef4ed0a983ba74663814a2d`
SHA3	`1a714b353dde5315c238781b6cadfc87ec01722331db389d0396c6755c0dd152`
VirtualSize	`0x67998`
VirtualAddress	`0x1000`
SizeOfRawData	`0x67a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.71253`

.rdata

MD5	`112f80d440c3ff726f8c8dccb9de3d02`
SHA1	`96a2a2ce906bb8b76a95b65e73ad01a594f1f40f`
SHA256	`c03711997a91f2c99647c42140f14c94955c93ca3259c03c2c4a98792eeb44cc`
SHA3	`8f2769bb3a6bff4f1d40b07a333f37063bae2aae6442fc65c956840978f6dd87`
VirtualSize	`0x1c4a4`
VirtualAddress	`0x69000`
SizeOfRawData	`0x1c600`
PointerToRawData	`0x67e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.32762`

.data

MD5	`7c915866948930c3125fa4c14cdf327c`
SHA1	`4928237224453e2df65793a1947463df8fa1834f`
SHA256	`9cdd75532408e7242cab7d63e1ba77f52542fb7df5a0f18286234f6da355ae31`
SHA3	`6b1cbb93372b07954845d4ba54b0609256fa34ed72592ebe76f74f1ac48bee89`
VirtualSize	`0x382904`
VirtualAddress	`0x86000`
SizeOfRawData	`0x380e00`
PointerToRawData	`0x84400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.9947`

.pdata

MD5	`dcccd1b2ab6dd72855587e942430a701`
SHA1	`5845093ce36ee6e55b5309867350758dd2a55ab2`
SHA256	`779b26847b60752d67d97ba14fa819e5eadb03e64b2301ac7499c338432ad9df`
SHA3	`2de84baffa97d31ad76bfe5cde98885eb53e4ca69af7284df2fb1524161111ca`
VirtualSize	`0x40b0`
VirtualAddress	`0x409000`
SizeOfRawData	`0x4200`
PointerToRawData	`0x405200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.76207`

_RDATA

MD5	`a812d23658b2dbf9439561c0c40972e4`
SHA1	`a7d5d9dade34e1e8301ab2de0588dcfd313064fc`
SHA256	`5bef5de69c8dde4a46087ab3591589086ff40f552fdce04829fc8b7fb4ce46af`
SHA3	`91f0f4ee691ab874a1c7dfff61cde017c75a868b6a3b60449446d0a7abd290fe`
VirtualSize	`0x15c`
VirtualAddress	`0x40e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x409400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.33894`

.rsrc

MD5	`7e80165183fc128807220f93d48dffd9`
SHA1	`09f929b0ae6203c5160803d491e04aae0e3db4c4`
SHA256	`4212e797f1b211e3ad9bf78132c6534278f389093d2c115fa56b9693d1d54118`
SHA3	`db8345b21e813da1318bd44b4acfc363ae3a70837a5e1b9d0494dfa6ec36ebcb`
VirtualSize	`0x1e0`
VirtualAddress	`0x40f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x409600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71768`

.reloc

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc60`
VirtualAddress	`0x410000`
SizeOfRawData	`0`
PointerToRawData	`0x409800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`

.lol

MD5	`fa6fc1468703f4d26be93acf8345ddc1`
SHA1	`44d80985b9ca62544a211e0abb64d6b904c29bff`
SHA256	`cd72a709b982471bf4cc361ffcfe0ca4ec0ec59f7a4442718c88cfd8e42a05bb`
SHA3	`219d508228b176bd46b650349a4c082332be0178fc6ed33d4fd3d89e7415b2d9`
VirtualSize	`0x7c8000`
VirtualAddress	`0x411000`
SizeOfRawData	`0x24b469`
PointerToRawData	`0x409800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99991`

Imports

KERNEL32.dll	`GetProcAddress` `CreateRemoteThread` `CreateProcessA` `GetVolumeInformationA` `LoadLibraryA` `GetModuleFileNameW` `WriteConsoleW` `Sleep` `ReadFile` `HeapSize` `GetConsoleOutputCP` `FlushFileBuffers` `ReadConsoleW` `ReadConsoleInputW` `SetConsoleMode` `GetConsoleMode` `CreateFileW` `SetStdHandle` `GetProcessHeap` `SetEnvironmentVariableW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetOEMCP` `GetACP` `IsValidCodePage` `FindNextFileW` `FindFirstFileExW` `FindClose` `SetFilePointerEx` `GetFileSizeEx` `WideCharToMultiByte` `InitializeSRWLock` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `TryEnterCriticalSection` `DeleteCriticalSection` `GetCurrentThreadId` `CloseHandle` `WaitForSingleObjectEx` `EncodePointer` `DecodePointer` `MultiByteToWideChar` `LCMapStringEx` `QueryPerformanceCounter` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `GetSystemTimeAsFileTime` `GetModuleHandleW` `CompareStringEx` `GetCPInfo` `GetStringTypeW` `InitializeCriticalSectionAndSpinCount` `SetEvent` `ResetEvent` `CreateEventW` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetStartupInfoW` `IsProcessorFeaturePresent` `GetCurrentProcessId` `InitializeSListHead` `GetCurrentProcess` `TerminateProcess` `RtlUnwindEx` `RtlPcToFileHeader` `RaiseException` `GetLastError` `SetLastError` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `GetModuleHandleExW` `ExitProcess` `GetStdHandle` `WriteFile` `GetCommandLineA` `GetCommandLineW` `GetConsoleCP` `HeapFree` `HeapAlloc` `GetFileType` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `HeapReAlloc`
ADVAPI32.dll	`CryptAcquireContextW`
WS2_32.dll	`WSAStartup` `__WSAFDIsSet` `closesocket` `select` `shutdown` `WSASocketW` `getaddrinfo` `getpeername` `send` `socket` `ntohs` `connect` `recv` `getsockopt` `freeaddrinfo` `ioctlsocket` `getnameinfo` `setsockopt` `WSAGetLastError` `WSACleanup`
ntdll.dll	`RtlLookupFunctionEntry` `RtlVirtualUnwind` `RtlCaptureContext`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Jan-20 18:33:30
Version	`0.0`
SizeofData	`1008`
AddressOfRawData	`0x7d90c`
PointerToRawData	`0x7c70c`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2023-Jan-20 18:33:30
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x14007dd20`
EndAddressOfRawData	`0x14007dd28`
AddressOfIndex	`0x140407530`
AddressOfCallbacks	`0x1400694f8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140086048`

RICH Header

XOR Key	`0x17a4fece`
Unmarked objects	`0`
ASM objects (30795)	`10`
C++ objects (30795)	`174`
C objects (30795)	`18`
253 (VS2022 Update 3 (17.3.0) compiler 31616)	`1`
C objects (VS2022 Update 3 (17.3.0) compiler 31616)	`17`
ASM objects (VS2022 Update 3 (17.3.0) compiler 31616)	`10`
C++ objects (VS2022 Update 3 (17.3.0) compiler 31616)	`90`
Imports (30795)	`11`
Total imports	`173`
C++ objects (LTCG) (VS2022 Update 3 (17.3.4-5) compiler 31630)	`8`
ASM objects (VS2022 Update 3 (17.3.4-5) compiler 31630)	`1`
Resource objects (VS2022 Update 3 (17.3.4-5) compiler 31630)	`1`
Linker (VS2022 Update 3 (17.3.4-5) compiler 31630)	`1`

Errors

[*] Warning: Section .reloc has a size of 0!