Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2023-Jan-20 18:33:30 |
Detected languages |
English - United States
|
Info | Interesting strings found in the binary: |
Contains domain names:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. |
Unusual section name found: .lol
Section .lol is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 13/70 (Scanned on 2023-01-22 17:18:28) |
FireEye:
Generic.mg.a8386896c08f210a
Cybereason: malicious.a386bb Symantec: ML.Attribute.HighConfidence Elastic: malicious (high confidence) APEX: Malicious Sophos: Generic ML PUA (PUA) McAfee-GW-Edition: BehavesLike.Win64.Generic.vc Ikarus: Trojan.Win64.Agent Microsoft: Trojan:Win32/Sabsik.FL.B!ml Gridinsoft: Trojan.Heur!.03210023 Google: Detected Acronis: suspicious MaxSecure: Trojan.Malware.300983.susgen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x108 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 8 |
TimeDateStamp | 2023-Jan-20 18:33:30 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x67a00 |
SizeOfInitializedData | 0x3a4400 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000003CC00 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0xbd9000 |
SizeOfHeaders | 0x400 |
Checksum | 0x6594e9 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetProcAddress
CreateRemoteThread CreateProcessA GetVolumeInformationA LoadLibraryA GetModuleFileNameW WriteConsoleW Sleep ReadFile HeapSize GetConsoleOutputCP FlushFileBuffers ReadConsoleW ReadConsoleInputW SetConsoleMode GetConsoleMode CreateFileW SetStdHandle GetProcessHeap SetEnvironmentVariableW FreeEnvironmentStringsW GetEnvironmentStringsW GetOEMCP GetACP IsValidCodePage FindNextFileW FindFirstFileExW FindClose SetFilePointerEx GetFileSizeEx WideCharToMultiByte InitializeSRWLock ReleaseSRWLockExclusive AcquireSRWLockExclusive EnterCriticalSection LeaveCriticalSection InitializeCriticalSectionEx TryEnterCriticalSection DeleteCriticalSection GetCurrentThreadId CloseHandle WaitForSingleObjectEx EncodePointer DecodePointer MultiByteToWideChar LCMapStringEx QueryPerformanceCounter FlsAlloc FlsGetValue FlsSetValue FlsFree GetSystemTimeAsFileTime GetModuleHandleW CompareStringEx GetCPInfo GetStringTypeW InitializeCriticalSectionAndSpinCount SetEvent ResetEvent CreateEventW IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW IsProcessorFeaturePresent GetCurrentProcessId InitializeSListHead GetCurrentProcess TerminateProcess RtlUnwindEx RtlPcToFileHeader RaiseException GetLastError SetLastError TlsAlloc TlsGetValue TlsSetValue TlsFree FreeLibrary LoadLibraryExW GetModuleHandleExW ExitProcess GetStdHandle WriteFile GetCommandLineA GetCommandLineW GetConsoleCP HeapFree HeapAlloc GetFileType CompareStringW LCMapStringW GetLocaleInfoW IsValidLocale GetUserDefaultLCID EnumSystemLocalesW HeapReAlloc |
---|---|
ADVAPI32.dll |
CryptAcquireContextW
|
WS2_32.dll |
WSAStartup
__WSAFDIsSet closesocket select shutdown WSASocketW getaddrinfo getpeername send socket ntohs connect recv getsockopt freeaddrinfo ioctlsocket getnameinfo setsockopt WSAGetLastError WSACleanup |
ntdll.dll |
RtlLookupFunctionEntry
RtlVirtualUnwind RtlCaptureContext |
Characteristics |
0
|
---|---|
TimeDateStamp | 2023-Jan-20 18:33:30 |
Version | 0.0 |
SizeofData | 1008 |
AddressOfRawData | 0x7d90c |
PointerToRawData | 0x7c70c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2023-Jan-20 18:33:30 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
StartAddressOfRawData | 0x14007dd20 |
---|---|
EndAddressOfRawData | 0x14007dd28 |
AddressOfIndex | 0x140407530 |
AddressOfCallbacks | 0x1400694f8 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_4BYTES
|
Callbacks | (EMPTY) |
Size | 0x140 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x140086048 |
XOR Key | 0x17a4fece |
---|---|
Unmarked objects | 0 |
ASM objects (30795) | 10 |
C++ objects (30795) | 174 |
C objects (30795) | 18 |
253 (VS2022 Update 3 (17.3.0) compiler 31616) | 1 |
C objects (VS2022 Update 3 (17.3.0) compiler 31616) | 17 |
ASM objects (VS2022 Update 3 (17.3.0) compiler 31616) | 10 |
C++ objects (VS2022 Update 3 (17.3.0) compiler 31616) | 90 |
Imports (30795) | 11 |
Total imports | 173 |
C++ objects (LTCG) (VS2022 Update 3 (17.3.4-5) compiler 31630) | 8 |
ASM objects (VS2022 Update 3 (17.3.4-5) compiler 31630) | 1 |
Resource objects (VS2022 Update 3 (17.3.4-5) compiler 31630) | 1 |
Linker (VS2022 Update 3 (17.3.4-5) compiler 31630) | 1 |