Manalyze report for b2a9c21600fae83a85ecd0ae559a5c1d7fbb6b1892488628e2f94d7548816b12

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Jun-25 09:36:53
TLS Callbacks	2 callback(s) detected.

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to AES` `Uses constants related to Blowfish`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW` `Manipulates other processes: OpenProcess`
Suspicious	The PE is possibly a dropper.	`Resource 27 is possibly compressed or encrypted.` `Resources amount for 97.8088% of the executable.`
Malicious	VirusTotal score: 25/66 (Scanned on 2026-03-02 05:10:50)	`APEX: Malicious` `CAT-QuickHeal: Trojan.Multi` `CTX: exe.trojan.multi` `CrowdStrike: win/malicious_confidence_90% (W)` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `Fortinet: W32/PossibleThreat` `Google: Detected` `Gridinsoft: Trojan.Win64.Agent.oa!s1` `Ikarus: Trojan.Win64.Agent` `Jiangmin: Trojan.Redcap.de` `Kaspersky: UDS:DangerousObject.Multi.Generic` `Lionic: Trojan.Win32.Generic.4!c` `MaxSecure: Trojan.Malware.324995110.susgen` `McAfeeD: Trojan:Win/Wacapew.FOA` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Panda: Trj/GdSda.A` `SentinelOne: Static AI - Malicious PE` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score` `Varist: W64/ABlTrojan.BIAE-7040` `Zillya: Trojan.Encoder.Win32.4547` `alibabacloud: Software:Multi/Wacatac.C9nj`

Hashes

MD5	`638977695a32842baecad9dcf4f6034e`
SHA1	`79d422a22e4a825f4315f544b110a186c402186b`
SHA256	`b2a9c21600fae83a85ecd0ae559a5c1d7fbb6b1892488628e2f94d7548816b12`
SHA3	`94ad0a112aad856e5545a4116a67fdebcb252854fa46b6e117e190de01c17e01`
SSDeep	`196608:nyo5Ut79TyCLpRnVlv7le32bB5Z+CC9/d7:n+bh9vHbLZ+CC9`
Imports Hash	`fc3b0de2e7f988c46ed9c8e46a804071`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`12`
TimeDateStamp	2025-Jun-25 09:36:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x1f400`
SizeOfInitializedData	`0x6b2e00`
SizeOfUninitializedData	`0x27e00`
AddressOfEntryPoint	`0x00000000000010F6 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x6e2000`
SizeOfHeaders	`0x400`
Checksum	`0x2bfa7`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`cad98c7d7d691f5e19995e9e94a5cd15`
SHA1	`d85f19ff589340019399751c0b610e7a2e33efda`
SHA256	`46dea97b6744e0721064b020c528e1f6a2e25380450813c01b180bed17338474`
SHA3	`71eef765a31ad0137034614154291ad3b22d37d8af6561b1270caf4296911cc8`
VirtualSize	`0x1f2a8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1f400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.32412`

.data

MD5	`c4a257e6a0ac7bd399298dccf66d26b2`
SHA1	`23b2108c3ea1bcfca31307a15c8cc99ff3edd567`
SHA256	`e7cc89108ddfc002ec5dfcfd79fdc4315d403fff63e471e98c452e9cf3d3d4e4`
SHA3	`47bcd185797f9ff162da530451efac7ca8ccc7b90f0bc04cbcaeae58a98223a3`
VirtualSize	`0x130`
VirtualAddress	`0x21000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1f800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.33643`

.rdata

MD5	`83c66cb3d3266a62cc2b364cfa21ee41`
SHA1	`4b19b3ec41df65097e0c368537902cd6151010d2`
SHA256	`d0ad5a1ccef1db92b55d8453d6dac058e50fa80dedf80afa5abbd018c0e8986e`
SHA3	`a785834be6dcb90fb6162d996d92af90cb156e08d59a2a06e501776efd9b30cf`
VirtualSize	`0x2eb0`
VirtualAddress	`0x22000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x1fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.22114`

.eh_fram

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x4`
VirtualAddress	`0x25000`
SizeOfRawData	`0x200`
PointerToRawData	`0x22a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.pdata

MD5	`e82a046c2d371841b185353e47d3ffbf`
SHA1	`4b8511cb65fc51ce2af92157ec84c4cd124d150c`
SHA256	`6034071eb76d9599ec41b920dd93586036248d35ee5cc58a2c8c800374e21b23`
SHA3	`d4d97fbe6c53781aa237c2927d6fd15d90fd15dd005c2b435320ed584116328e`
VirtualSize	`0x954`
VirtualAddress	`0x26000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x22c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.9733`

.xdata

MD5	`51e2916e682dd9e84eba6397904d8de9`
SHA1	`e6e57d626d5daaebc22444cffe3bcf2d18c19da5`
SHA256	`40a8f184379959f9aee53fdf7ef3c5362a3238204da2f4e095a466c06f8ce803`
SHA3	`e73bf737fb3717a304220f16989881cca00320de9dbf0dc2f24fc3b4465fc904`
VirtualSize	`0xb28`
VirtualAddress	`0x27000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x23600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.47715`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x27cd0`
VirtualAddress	`0x28000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`2ca3a8d0fa1c37927e3d2cda71e80bf2`
SHA1	`2271c2d85dd3d26c6001ac31dd39f2ad93ba995b`
SHA256	`a403ed7e6737394c1c9318148517bd1b40a62235d4fddb5c12fa183b0db710ab`
SHA3	`1fa5bd3a11763bef7c204d7f4b245b0b2e06c8a677528fee6661b3139261b8d1`
VirtualSize	`0xfe0`
VirtualAddress	`0x50000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x24200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.3282`

.CRT

MD5	`b0b9d8e1d47f35a85ab461edec7e56cd`
SHA1	`7346f203460081666d646845a8de0a29dc7f48ae`
SHA256	`a4ab3fc6138a87bdc945d6e7e40e64d3eafa252cbca2ee8e89b3278fa3238183`
SHA3	`73c6b55d2ac03990408a571e370fc98f3ceae2c09de95bdd04b42a7a190ed73f`
VirtualSize	`0x60`
VirtualAddress	`0x51000`
SizeOfRawData	`0x200`
PointerToRawData	`0x25200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.289052`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x52000`
SizeOfRawData	`0x200`
PointerToRawData	`0x25400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`fd129be06b8468f0993d9f25be8b44c8`
SHA1	`ad6afa724cd812e5e248bdc7cfdf559464f29756`
SHA256	`0eda5e24e1e91575d8b2f2938c1876507d0baf434286b34786aedb116d17304f`
SHA3	`f12e51c484f9d844a6a389afa493a144011c08c094484f702a742b5a82ccc5d3`
VirtualSize	`0x68d954`
VirtualAddress	`0x53000`
SizeOfRawData	`0x68da00`
PointerToRawData	`0x25600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99918`

.reloc

MD5	`161d65cc6969ae35a38ff9858b52cc2b`
SHA1	`395c0d55234006ecb3de5acd487911db9d050cb8`
SHA256	`c64d9379996d2a860fd7bd3d2496cdabcb519f844ccbea605d6d24433928bffd`
SHA3	`d339b927cb1d29900496299689925028198129bd322ee40033df101ef95304cf`
VirtualSize	`0x94`
VirtualAddress	`0x6e1000`
SizeOfRawData	`0x200`
PointerToRawData	`0x6b3000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.83834`

Imports

KERNEL32.dll	`AddDllDirectory` `CloseHandle` `CopyFileW` `CreateDirectoryW` `CreateFileMappingW` `CreateFileW` `CreateProcessW` `DeleteCriticalSection` `DeleteFileW` `EnterCriticalSection` `FindResourceA` `FormatMessageA` `FreeLibrary` `GenerateConsoleCtrlEvent` `GetCommandLineW` `GetCurrentProcessId` `GetEnvironmentVariableW` `GetExitCodeProcess` `GetFileAttributesW` `GetFileSize` `GetLastError` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleExA` `GetProcAddress` `GetProcessId` `GetShortPathNameW` `GetStartupInfoW` `GetStdHandle` `GetSystemTimeAsFileTime` `GetTempPathW` `InitializeCriticalSection` `IsDBCSLeadByteEx` `K32GetModuleFileNameExW` `LeaveCriticalSection` `LoadLibraryA` `LoadLibraryExW` `LoadResource` `LockResource` `MapViewOfFile` `MultiByteToWideChar` `OpenProcess` `ReadFile` `SetConsoleCtrlHandler` `SetEnvironmentVariableW` `SetUnhandledExceptionFilter` `SizeofResource` `Sleep` `TerminateProcess` `TlsGetValue` `UnmapViewOfFile` `VirtualProtect` `VirtualQuery` `WaitForSingleObject` `WideCharToMultiByte` `WriteFile`
msvcrt.dll	`__C_specific_handler` `___lc_codepage_func` `___mb_cur_max_func` `__argc` `__iob_func` `__set_app_type` `__setusermatherr` `__wargv` `__wgetmainargs` `__winitenv` `_amsg_exit` `_cexit` `_commode` `_errno` `_fmode` `_initterm` `_lock` `_onexit` `_unlock` `_wcmdln` `_wcsdup` `_wcsicmp` `_wrename` `abort` `calloc` `exit` `fwprintf` `fprintf` `fputc` `fputwc` `free` `fwrite` `iswctype` `localeconv` `malloc` `mbstowcs` `memcpy` `memmove` `memset` `puts` `signal` `strerror` `strlen` `strncmp` `vfprintf` `wcschr` `wcscmp` `wcslen` `wcsncmp` `wcstoul`
SHELL32.dll	`CommandLineToArgvW` `SHFileOperationW` `SHGetFolderPathW`

Delayed Imports

27

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68d3c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99919`
MD5	`4fcea3e0699103022115d83c70944f02`
SHA1	`8466302f927df7a9d1e1140d0d24d3e2bb7d1155`
SHA256	`2e49fe002afe04b16662e21aee6d9ae2a9e22b8444faf845547be3a7715bdfb4`
SHA3	`62feeda9ec821a43be4e6af51efb65580bce9bf58d8625d5606f5a154a5e0006`

1

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4f1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.27584`
MD5	`9175a1fabff80fec23018fdfc1dc274b`
SHA1	`be8f32edef4e9f4aa514fa34f36ca9ee0204139b`
SHA256	`94b146eac0a80f5089ac9e57303515ddf9087d9d88fd4d47f27df8f3cf14cbb4`
SHA3	`934768e038a5727d347f31840aaab3de69c96e1d4bca3c9e726bae6be020edf3`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140052000`
EndAddressOfRawData	`0x140052008`
AddressOfIndex	`0x14004f1c0`
AddressOfCallbacks	`0x140051038`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140015A40` `0x0000000140015B00`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.