Manalyze report for ac467580f8e5e8436dc98f75e5530c336c3644e064d983d398a81699125c04f4

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1970-Jan-01 00:00:00

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Info	Interesting strings found in the binary:	Contains domain names: -github.com .eq.github.com .eq.golang.org .hash.net 0www.entrust.net GoDaddy.com Izenpe.com US3940200619639447921227904010014361380507973927046544666794829340424572177149687032904726608825893800186160697311231939402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643publicsuffix.org adguard-dns.com ajax.googleapis.com api2.sec-tunnel.com cert.fnmt.es certigna.fr cleanbrowsing.org cloudflare-dns.com comodoca.com crl.certigna.fr crl.comodoca.com crl.d-trust.net crl.dhimyotis.com crl.securetrust.com d-trust.net dhimyotis.com digicert.com directory.d-trust.net dns.adguard-dns.com dns.quad9.net doh.cleanbrowsing.org entrust.net eq.github.com eq.golang.org fidelity.vm-0.com firmaprofesional.com github.com golang.org googleapis.com http://crl.certigna.fr http://crl.certigna.fr/certignarootca.crl01 http://crl.comodoca.com http://crl.comodoca.com/COMODOCertificationAuthority.crl0 http://crl.d-trust.net http://crl.d-trust.net/crl/d-trust_br_root_ca_1_2020.crl0y http://crl.d-trust.net/crl/d-trust_br_root_ca_2_2023.crl0 http://crl.d-trust.net/crl/d-trust_ev_root_ca_1_2020.crl0y http://crl.d-trust.net/crl/d-trust_ev_root_ca_2_2023.crl0 http://crl.dhimyotis.com http://crl.dhimyotis.com/certignarootca.crl0 http://crl.securetrust.com http://crl.securetrust.com/SGCA.crl0 http://crl.securetrust.com/STCA.crl0 http://ocsp.accv.es0 http://repository.swisssign.com http://repository.swisssign.com/0 http://www.accv.e http://www.accv.es http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0 http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0 http://www.accv.es/legislacion_c.htm0U http://www.cert.fnmt.es http://www.cert.fnmt.es/dpcs/0 http://www.d-trust.net http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_2009.crl0 http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl0 http://www.firmaprofesional.com http://www.firmaprofesional.com/cps0\ http://www.quovadisglobal.com http://www.quovadisglobal.com/cps0 https://1.1.1.1 https://1.1.1.1/dns-query,tls https://1.1.1.3 https://1.1.1.3/dns-queryhttps https://8.8.8.8 https://8.8.8.8/dns-queryoverride https://ajax.googleapis.com https://ajax.googleapis.com/ajax/libs/angularjs/1.8.2/angular.min.jstls https://api2.sec-tunnel.com https://api2.sec-tunnel.com/v4/device_generate_passwordCN https://api2.sec-tunnel.com/v4/discoverCN https://api2.sec-tunnel.com/v4/geo_listhttps https://api2.sec-tunnel.com/v4/register_deviceCN https://api2.sec-tunnel.com/v4/register_subscriberCN https://api2.sec-tunnel.com/v4/subscriber_loginCN https://dns.adguard-dns.com https://dns.adguard-dns.com/dns-queryuse https://dns.google https://dns.quad9.net https://dns.quad9.net/dns-querybad https://doh.cleanbrowsing.org https://doh.cleanbrowsing.org/doh/adult-filter/certificate https://fidelity.vm-0.com https://fidelity.vm-0.com/qRetrying https://go.dev https://security.cloudflare-dns.com https://security.cloudflare-dns.com/dns-querycontext https://wikimedia-dns.org https://wwww.certigna.fr https://wwww.certigna.fr/autorites/0m izenpe.com quad9.net quovadisglobal.com repository.swisssign.com sec-tunnel.com securetrust.com security.cloudflare-dns.com swisssign.com trust.net tunnel.com wikimedia-dns.org www.accv.es www.cert.fnmt.es www.d-trust.net www.digicert.com www.entrust.net www.firmaprofesional.com www.quovadisglobal.com wwww.certigna.fr
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata` `Unusual section name found: .symtab`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread`
Suspicious	VirusTotal score: 1/71 (Scanned on 2026-02-23 04:02:49)	`CrowdStrike: win/grayware_confidence_60% (D)`

Hashes

MD5	`1c719bfffa58b5ea257fce25c76c71e7`
SHA1	`f90a1f894ece68ccb95b1dc7fd3eb57e43e00a9b`
SHA256	`ac467580f8e5e8436dc98f75e5530c336c3644e064d983d398a81699125c04f4`
SHA3	`c20549fe0e924cb86f0eb4e792c9b37734fb8593cf9dc9d3fb8f7fe7bdbd9b61`
SSDeep	`49152:CIyBUcx93IZsorGkN2TdgTfSbOqCBVaIN/m+UylSwO6QjWP8xmRj4IPXDScvyn6:Cf/WU1Ojav+UC5vL+out6Xux4yE`
Imports Hash	`62c6ec0a84a8c96d7b269518777f6dca`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0x8b`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x6f5200`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0x30f800`
SizeOfInitializedData	`0x77000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000007BEE0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`1.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x751000`
SizeOfHeaders	`0x600`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4945b1e8a665c63364b344545c478c69`
SHA1	`d2aa52f16dc1d859aa58d4c9f2c238b1cc26fbcc`
SHA256	`0edf8aa479d5de3276a027df6d78edcf6a08f0f6681eb852a1d797f5466dbbd3`
SHA3	`e993e5e28da7d6fb6eb8d85c9aa877830a057cec827c69d319647fae960a0e04`
VirtualSize	`0x30f711`
VirtualAddress	`0x1000`
SizeOfRawData	`0x30f800`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.17703`

.rdata

MD5	`53ad9b75f88561028eb3aa4dfc310087`
SHA1	`ffb29ae50e3bfa8506148684a0d533c10e445e25`
SHA256	`b990bef0d2d7186656deec3ec02a8573c675d73227ea6f3f78acb79fa51c0554`
SHA3	`8e627cf04e39d083d222f4a3498a430d628435b7c5fa012ad545c5821f3b8269`
VirtualSize	`0x34bd70`
VirtualAddress	`0x311000`
SizeOfRawData	`0x34be00`
PointerToRawData	`0x30fe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.64848`

.data

MD5	`f7e0ec92a227d65937f69fcb0b0a7c41`
SHA1	`82684c1d68fc525a38f33f07890cd6801b77bbe5`
SHA256	`425467194153fddc52e023e5dd0fa520fe5567fd33a9a7e7750fc7ed2188be76`
SHA3	`c106be7386d468595841f4b292866f51cdc7564c4b06fce74ae00486dda176c6`
VirtualSize	`0xcd0f0`
VirtualAddress	`0x65d000`
SizeOfRawData	`0x77000`
PointerToRawData	`0x65bc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.79179`

.pdata

MD5	`1754d6f486a96fe9affa5c26ac695273`
SHA1	`ef4b6d776e57e012b4de837f479c9ef97980e1d3`
SHA256	`c39cb8ac0910e52ec235c6d02bfb200438281231700d97d505564715ea2d693b`
SHA3	`b183a0763162d083223859fe5b77c007aff5d9f20bf015311914ffc73a7db1dd`
VirtualSize	`0x1248c`
VirtualAddress	`0x72b000`
SizeOfRawData	`0x12600`
PointerToRawData	`0x6d2c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.49011`

.xdata

MD5	`40885fe06be1a01148ac0cd21ff7c528`
SHA1	`f66aaf8efe72265fdf24873535be35e3a9ce1ab6`
SHA256	`4e3a9737bddf63503c6205e88daf688797d4d684cf18bee54cd9e4a449b5c599`
SHA3	`53a3c686bf7b0e3a3ba2e945e002bc4e3fc1f3058834c003b64375a3823e3ef0`
VirtualSize	`0xb4`
VirtualAddress	`0x73e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x6e5200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.78321`

.idata

MD5	`b11a76e1f870b0c32068f6de9becca37`
SHA1	`fdf23a1171b2d3447c83060d0471489f266b6c98`
SHA256	`21fa5b81960c1e1350960df017f3c0778d8d134b177c6d17edc53c6620444a98`
SHA3	`3968982e59a2a0c12ee9b100875506b48cff8eda8ccae6eabcd7c5430008e304`
VirtualSize	`0x556`
VirtualAddress	`0x73f000`
SizeOfRawData	`0x600`
PointerToRawData	`0x6e5400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.01628`

.reloc

MD5	`8e6afda5133e5e315d2f25d795c28203`
SHA1	`107bf774ab59cb7ef5ba1e672c5c453165d0b67c`
SHA256	`a6a2e376bde1477947ce1e63b6d672baa30bd1570716c9e353a7d0b4e150dd73`
SHA3	`82cea7b9b28d529d20327c21cf35a1ad092a403ba239075395ea4e6780b94e7a`
VirtualSize	`0xf6e8`
VirtualAddress	`0x740000`
SizeOfRawData	`0xf800`
PointerToRawData	`0x6e5a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.43024`

.symtab

MD5	`07b5472d347d42780469fb2654b7fc54`
SHA1	`943ae54f4818e52409fbbaf60ffd71318d966b0d`
SHA256	`3e67f4a7d14b832ff2a2433e9cf0f6f5720821f67148a87c0ee2595a20c96c68`
SHA3	`a70a3e18515c06557b62676f2a8eb6d7d41962d8c9c7c49f4641c429cc65b977`
VirtualSize	`0x4`
VirtualAddress	`0x750000`
SizeOfRawData	`0x200`
PointerToRawData	`0x6f5200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.0203931`

Imports

kernel32.dll	`WriteFile` `WriteConsoleW` `WerSetFlags` `WerGetFlags` `WaitForMultipleObjects` `WaitForSingleObject` `VirtualQuery` `VirtualFree` `VirtualAlloc` `TlsAlloc` `SwitchToThread` `SuspendThread` `SetWaitableTimer` `SetProcessPriorityBoost` `SetEvent` `SetErrorMode` `SetConsoleCtrlHandler` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `ResumeThread` `RaiseFailFastException` `PostQueuedCompletionStatus` `LoadLibraryA` `LoadLibraryW` `LoadLibraryExW` `SetThreadContext` `GetThreadContext` `GetSystemInfo` `GetSystemDirectoryA` `GetStdHandle` `GetQueuedCompletionStatusEx` `GetProcessAffinityMask` `GetProcAddress` `GetErrorMode` `GetEnvironmentStringsW` `GetCurrentThreadId` `GetConsoleMode` `FreeEnvironmentStringsW` `ExitProcess` `DuplicateHandle` `CreateWaitableTimerExW` `CreateThread` `CreateIoCompletionPort` `CreateEventA` `CloseHandle` `AddVectoredExceptionHandler` `AddVectoredContinueHandler`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

Leave a comment

No comments yet.