Manalyze report for ade6b6e09ec807df13e6128b48461ff279967f72bd12cfc777d7114e44b1219c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Feb-29 02:10:02
Detected languages	English - United States

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: \xf0\x9f\xa7\xa0McC>` `Unusual section name found: \xf0\x9f\xa7\xa0=sSv` `Unusual section name found: \xf0\x9f\xa7\xa0:v:.` `Unusual section name found: \xf0\x9f\xa7\xa0#=9K` `Unusual section name found: \xf0\x9f\xa7\xa0QGxF` `Unusual section name found: \xf0\x9f\xa7\xa0Kpw/` `Unusual section name found: \xf0\x9f\xa7\xa0P5Rr` `Unusual section name found: \xf0\x9f\xa7\xa0zIDm` `Unusual section name found: \xf0\x9f\xa7\xa0@z@j`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Leverages the raw socket API to access the Internet: WSAGetLastError` `Functions related to the privilege level: OpenProcessToken` `Interacts with the certificate store: CertOpenStore`
Malicious	VirusTotal score: 34/73 (Scanned on 2024-05-23 00:10:24)	`APEX: Malicious` `AhnLab-V3: HackTool/Win.GameHack.R645913` `Alibaba: Packed:Win64/VMProtect.21c52679` `Antiy-AVL: Trojan[Packed]/Win64.VMProtect` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win64/Packed.VMProtect.AA suspicious` `Elastic: malicious (high confidence)` `Fortinet: Riskware/Application` `GData: Win64.Trojan.Agent.NE8GUR` `Google: Detected` `Gridinsoft: Ransom.Win64.Sabsik.ns` `Ikarus: Trojan.Win64.Vmprotect` `K7AntiVirus: Trojan ( 005a7d181 )` `K7GW: Trojan ( 005a7d181 )` `Kingsoft: Win32.Troj.Generic.v` `Malwarebytes: Trojan.MalPack.PES` `MaxSecure: Trojan.Malware.3411146.susgen` `McAfeeD: Real Protect-LS!BA41431C69CB` `Microsoft: PUA:Win32/Packunwan` `Paloalto: generic.ml` `Panda: Trj/Chgt.AD` `Rising: Trojan.Znyonm!8.18A3A (CLOUD)` `Sangfor: PUP.Win64.Packed.V1dk` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.high.ml.score` `Varist: W64/ABRisk.CWYF-4897` `Webroot: W32.Trojan.TE` `Xcitium: ApplicUnwnt@#3mwykdtu5svn8` `alibabacloud: VirTool:Win/Packed.VMProtect.AM`

Hashes

MD5	`ba41431c69cb3a3a558b7d363ad5160c`
SHA1	`c981e506dd06d254c456b64fb01de3e5a73ee178`
SHA256	`ade6b6e09ec807df13e6128b48461ff279967f72bd12cfc777d7114e44b1219c`
SHA3	`5215070533ed5f28774cf0366dfdbe0ab31ff8300ab12860dd1c2bcc3337b126`
SSDeep	`786432:76DrnZZjyehu2r/MTNwXqTlgRoZCGQ3T:76v7uZ2XqBiZGQ3T`
Imports Hash	`246d79dde4b938bba513cbd61747459d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2024-Feb-29 02:10:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xab400`
SizeOfInitializedData	`0x16c200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000268F6DE (Section: \xf0\x9f\xa7\xa0zIDm)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x2ea6000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

\xf0\x9f\xa7\xa0McC>

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xab32e`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0=sSv

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x9da3c`
VirtualAddress	`0xad000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0:v:.

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xc54a0`
VirtualAddress	`0x14b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

\xf0\x9f\xa7\xa0#=9K

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6114`
VirtualAddress	`0x211000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0QGxF

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x2208`
VirtualAddress	`0x218000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0Kpw/

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x12252d4`
VirtualAddress	`0x21b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`

\xf0\x9f\xa7\xa0P5Rr

MD5	`32d57ab6e3a4f34a6b98ba4de0974589`
SHA1	`d3c74ece0b2aaa440d7c4d5a7fef82711444a968`
SHA256	`d0bcaf76c207033e80da6ed3609d35d0516d85596a13c38a8e6e66f8cc523d5b`
SHA3	`26cb675503959e46ad20f7b34f296869140773300e6e3909ee0d2f82c6d58019`
VirtualSize	`0x17e8`
VirtualAddress	`0x1441000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.303772`

\xf0\x9f\xa7\xa0zIDm

MD5	`6cd264a81e90d8b5cf488a1b7267bf52`
SHA1	`9d0d424fee853bd032dbffa22b229665fe4f501c`
SHA256	`a00252b67f92cbb9e2a25830f5cec8fe5643786b53580cbf8b16137190ca21a5`
SHA3	`02bc6ed08074e753ac4ee751a6db47bf989fe9d15c60cdac18dbc11452b55ca7`
VirtualSize	`0x1a613a4`
VirtualAddress	`0x1443000`
SizeOfRawData	`0x1a61400`
PointerToRawData	`0x1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.84751`

\xf0\x9f\xa7\xa0@z@j

MD5	`c3f71cbb1c3af69cf9d86e319531b91b`
SHA1	`5d989cc40088c9b7532f504c8d03c5bd9d087595`
SHA256	`955b2312f522c9e3a7597756dd98fa0dd8e160f50744bd59cc020655b049ffca`
SHA3	`6d51227b3e48231cad1150c1548d015ea867ce1c5279a63cb6d08b4e2cbf69ba`
VirtualSize	`0x2e1`
VirtualAddress	`0x2ea5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1a63000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.30645`

Imports

KERNEL32.dll	`GetComputerNameA`
USER32.dll	`GetActiveWindow`
GDI32.dll	`DeleteDC`
ADVAPI32.dll	`OpenProcessToken`
SHELL32.dll	`SHGetKnownFolderPath`
ole32.dll	`CoCreateGuid`
OLEAUT32.dll	`VariantClear`
ntdll.dll	`NtClose`
MSVCP140.dll	`??1_Lockit@std@@QEAA@XZ`
SHLWAPI.dll	`PathFindExtensionW`
WS2_32.dll	`WSAGetLastError`
CRYPT32.dll	`CertOpenStore`
Secur32.dll	`InitSecurityInterfaceW`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
D3DCOMPILER_47.dll	`D3DCompile`
IMM32.dll	`ImmSetCompositionWindow`
gdiplus.dll	`GdipSaveImageToFile`
DNSAPI.dll	`DnsNameCompare_W`
RPCRT4.dll	`UuidToStringW`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`memcmp`
api-ms-win-crt-heap-l1-1-0.dll	`_callnewh`
api-ms-win-crt-string-l1-1-0.dll	`wcsnlen`
api-ms-win-crt-runtime-l1-1-0.dll	`_invalid_parameter_noinfo_noreturn`
api-ms-win-crt-stdio-l1-1-0.dll	`fputc`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-convert-l1-1-0.dll	`_itow_s`
api-ms-win-crt-filesystem-l1-1-0.dll	`_lock_file`
api-ms-win-crt-time-l1-1-0.dll	`_time64`
api-ms-win-crt-math-l1-1-0.dll	`ldexp`
api-ms-win-crt-environment-l1-1-0.dll	`getenv`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
KERNEL32.dll (#2)	`GetComputerNameA`
KERNEL32.dll (#3)	`GetComputerNameA`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x289`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.05508`
MD5	`d28dfc8159f57a557fd3ac5ff8010b47`
SHA1	`269e00eb41eb2a102fdc24763539f758c4370a5f`
SHA256	`c687fd0335259d5149882376f6e7eb501aa1ccf5b4057c44e07760e1b1b799b9`
SHA3	`68f173ef697908b29e1cfeb47c9769a334914e4047c34fd9529fd2854aaeacf2`

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14014b5c0`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section \xf0\x9f\xa7\xa0McC> has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0=sSv has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0:v:. has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0#=9K has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0QGxF has a size of 0!
[*] Warning: Section \xf0\x9f\xa7\xa0Kpw/ has a size of 0!

Leave a comment

No comments yet.