Manalyze report for bbaf422d3aa8d40eb1933dc2ef12421226a4f09841cca22d23b1f50921471d81

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Feb-27 00:51:27
Detected languages	English - United States Polish - Poland
CompanyName	BOOST - NET KRZYSZTOF ZAGÓRSKI
FileDescription	Metin2 Bot
FileVersion	`1.4.5.5`
InternalName	HLBot
LegalCopyright	Copyright (C) 2025
OriginalFilename	HLBot.exe
ProductName	HLBot
ProductVersion	`1.4.5.5`

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .3ZG` `Unusual section name found: .J#b` `Unusual section name found: .9}\`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: SHDeleteKeyW` `Uses Microsoft's cryptographic API: CryptAcquireContextA`
Info	The PE is digitally signed.	`Signer: BOOST - NET KRZYSZTOF ZAG\xC3\x93RSKI` `Issuer: Certum Code Signing 2021 CA`
Suspicious	VirusTotal score: 1/71 (Scanned on 2025-03-09 18:19:56)	`VBA32: Malware-Cryptor.Inject.gen`

Hashes

MD5	`4e643bd7e075f5f625171d7601c38c5d`
SHA1	`4a80d21bfe822add9de82b71524e9993cd36e872`
SHA256	`bbaf422d3aa8d40eb1933dc2ef12421226a4f09841cca22d23b1f50921471d81`
SHA3	`1f939b320cda9ff8b7c7a16cd00d0deb8632e8af2352d75aaebaffdc3fd3069d`
SSDeep	`196608:zJFRyvNcNv+GPWUoTOFkAQwIbFoeSw58LvhlzoD6nyvOV+pTvMcTbcMHYAS:VFs2Nv+FUoTOjCFoeSw5gvhdnIOVWMZ`
Imports Hash	`7ab2ac64a9def8ac2838fbcd36c92b45`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2025-Feb-27 00:51:27
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xece00`
SizeOfInitializedData	`0x1b6000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0105590D (Section: .9}\)`
BaseOfCode	`0x1000`
BaseOfData	`0xee000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1289000`
SizeOfHeaders	`0x400`
Checksum	`0xa4c515`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xecd04`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1830a4`
VirtualAddress	`0xee000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x7b04`
VirtualAddress	`0x272000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.3ZG

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5d1530`
VirtualAddress	`0x27a000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.J#b

MD5	`9ccdf0b0bc10b2979ac8576a20da09e8`
SHA1	`359d73f2726b6cdf7689cff88c7c1198d01dc888`
SHA256	`9e174ca3835e9f23b36100b7994552d03f5f88e47b7d28ef9acb788e13fce0c3`
SHA3	`22f2d1d48257fb6a6a6f74bbfeeca4c20352f814930ed67ea3f64c8d4c6bc47c`
VirtualSize	`0x88`
VirtualAddress	`0x84c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.81186`

.9}\

MD5	`a2e5aaeac9a98537685f39a1e7b49f43`
SHA1	`26fed7e7ad2d5f3631c981f8f132c259bb8dd3bc`
SHA256	`af5e9c914b1ce63dbab53e22c5cd9053708d1eceb0343ec15a31e1123c47e826`
SHA3	`0129b5c80b1e14ed2193b416fbee56379963f55914ae4e2badd4675564d942db`
VirtualSize	`0xa1f340`
VirtualAddress	`0x84d000`
SizeOfRawData	`0xa1f400`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.92292`

.rsrc

MD5	`389941342c71e8ff2fd0c8dedd8b9a67`
SHA1	`ee14eb0c6fea2cb1a4dd067bb7899b598b3cbc53`
SHA256	`192bdc68691919476e9f2a2e1dc9f8a78b298841b2228bbf28d134dc018e1654`
SHA3	`5e943a05dc285292d9ec8f4db9d04dbbc3058ab6b2d2d88c4ff0b9d6328e9f5f`
VirtualSize	`0x1abc9`
VirtualAddress	`0x126d000`
SizeOfRawData	`0x1ac00`
PointerToRawData	`0xa1fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.25223`

.reloc

MD5	`771a305b762ce80e87fad6faa2594f8d`
SHA1	`08e3f7232889c36517250647a156357a3d17ceb9`
SHA256	`f5d382cc1fc0b0423e84b168ae81723668bccf3039a9480abbcbcafadc5b6daa`
SHA3	`3db75f7420688d165ea64ce18e50f5279461a7ba59fbce14f67960cbc5d67175`
VirtualSize	`0x6f0`
VirtualAddress	`0x1288000`
SizeOfRawData	`0x800`
PointerToRawData	`0xa3a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.99572`

Imports

KERNEL32.dll	`CopyFileW`
USER32.dll	`GetWindowLongW`
ole32.dll	`CoInitializeEx`
OLEAUT32.dll	`SafeArrayGetElement`
Qt5Network.dll	`?staticMetaObject@QNetworkReply@@2UQMetaObject@@B`
Qt5Widgets.dll	`??1QPushButton@@UAE@XZ`
Qt5Gui.dll	`??1QIcon@@QAE@XZ`
Qt5Core.dll	`?disconnectNotify@QFutureWatcherBase@@MAEXABVQMetaMethod@@@Z`
USERENV.dll	`CreateEnvironmentBlock`
VERSION.dll	`GetFileVersionInfoW`
ADVAPI32.dll	`CryptAcquireContextA`
SHLWAPI.dll	`SHDeleteKeyW`
SHELL32.dll	`CommandLineToArgvW`

Delayed Imports

1

Type	`RT_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x1ee8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.8895`
Detected Filetype	PNG graphic file
MD5	`d6381506974c1090f82824c69fe45805`
SHA1	`70fabbc137814db4b0373f7e6362dab61f083a33`
SHA256	`add93f94aaf6b3299fcdfced4bdc68e31546cc4fb9a57af10d0a236c7a95ae5b`
SHA3	`b17951f8b14f8ab188d8e860b3eacf028f9dfd5f2a7246e3ed1f7c81974fabe7`

2

Type	`RT_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54758`
MD5	`f05e38ac48c7f7c14de07e7ba4134afa`
SHA1	`8ab441b6cdb5502500eb1cdb92bae56b586196eb`
SHA256	`f263c18e80a0f7c3fc0443290f5f26259bdb48759eb0ffdf047709c27135cd36`
SHA3	`c0025eeacb13978833f3f50e6dc662f9323b073e259495fa7cc13b3e47468e72`

3

Type	`RT_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.8804`
MD5	`3384ea16ed47659c09d640be10844d6d`
SHA1	`b38d0c33337253dd6d3986ecd3c93926332070b9`
SHA256	`1455844e46f52448d673fbccb3df23f2f35a4d49f14b614af66c4a0b32e08d20`
SHA3	`293e00c703e57e8b4a952f144bfee64d6f7b320046cb123293a77c623472d43c`

4

Type	`RT_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.18387`
MD5	`16aad6b1d96bceac243ca81d86ca4366`
SHA1	`3c3f148a6cc544edeb8caca046e83140e525bf3b`
SHA256	`aae766aa74529882c025314936dc2a33ea24873fe99c930a590a4995cf9f3e5f`
SHA3	`6bfe6a612375c96d27ea23c94948227f9d7fbb6bb0e18eef5b716316de9d3a16`

5

Type	`RT_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.4925`
MD5	`fe816f1d265aec937d40c0fef43ffdd5`
SHA1	`c49fe76075d297dc7470181e5ae1b384a4b22b4b`
SHA256	`abd13a1d75ef5382cf45df7442bf53f6464bee92f220add9dc5f7d675aa2c998`
SHA3	`91b787c2ba4dc4775eb534332a7ba8c6ac9ccd1f2ad5fff172835a8984f33b7c`

6

Type	`RT_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.31927`
MD5	`a4c62d204e9b28b03531a043218ee5bc`
SHA1	`619b26632df1a789fbf08172b1f0d861064b5423`
SHA256	`dd0c738a18479f4a280d0656774b34aeb75de7bc6f150ac025f4ef2c02f33957`
SHA3	`7e3afe62bf023ca9e21c15d2c4b750d3785c518ff6b9b81eed86beb753595d51`

IDI_ICON1

Type	`RT_GROUP_ICON`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.79908`
Detected Filetype	Icon file
MD5	`b8aea45620de226f53936077b15e1b91`
SHA1	`de7f329df98c8e069e1d905204199b365c72c1d6`
SHA256	`a974079b728d3b539568b5d92bfdbb9a016a126e234ca09a946a2bf8b183faeb`
SHA3	`35c07f516a846ea888a19c7b90ea4b248230554fe7b831faa6a82e952331ce22`

1 (#2)

Type	`RT_VERSION`
Language	Polish - Poland
Codepage	UNKNOWN
Size	`0x2c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50387`
MD5	`d4deb08f276c0353c95a2da1f42ac054`
SHA1	`835e38cba09cab8edf8ab90e8394f2f6bc7faf40`
SHA256	`f1c4aca7d26f78a67c60c849d429fef96af3d7e78214180f4d0044f35dc142de`
SHA3	`6bbbd1da4ed8cde83904c15b64fde94e199b42690c3312e65f7999e2b9dd3c18`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x289`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.05508`
MD5	`4c85c61f2dd57d1b1172496450c9b9b2`
SHA1	`1c71076e55984e713015397930da1a1a3ecb2be0`
SHA256	`5866ac6ac5139fe3e905f3c06999e1772bb615c72e338cc7fa262ef2932648a0`
SHA3	`fd09b482570f8fe9c5227e2ecfd7e08b8dfb16a16a9e5d7a24c06c2d43cd22f8`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.4.5.5
ProductVersion	1.4.5.5
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	BOOST - NET KRZYSZTOF ZAGÓRSKI
FileDescription	Metin2 Bot
FileVersion (#2)	1.4.5.5
InternalName	HLBot
LegalCopyright	Copyright (C) 2025
OriginalFilename	HLBot.exe
ProductName	HLBot
ProductVersion (#2)	1.4.5.5

Resource LangID	Polish - Poland

TLS Callbacks

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x672040`
SEHandlerTable	`0`
SEHandlerCount	`0`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .3ZG has a size of 0!

Leave a comment

No comments yet.