Manalyze report for bd901c4c4423d0074fc03121ce2858c5

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2023-May-30 19:52:07
TLS Callbacks	2 callback(s) detected.
Debug artifacts	D:\git-sdk-64-full\usr\src\MINGW-packages\mingw-w64-openssl\src\build-i686\engines\capi.pdb

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: /4` `Unusual section name found: .debug`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Uses Microsoft's cryptographic API: CRYPTO_free CRYPTO_get_ex_new_index CRYPTO_malloc CRYPTO_set_mem_functions CRYPTO_strdup CRYPTO_zalloc CryptAcquireContextW CryptCreateHash CryptDecrypt CryptDestroyHash CryptDestroyKey CryptEnumProvidersW CryptExportKey CryptGetProvParam CryptGetUserKey CryptReleaseContext CryptSetHashParam CryptSignHashW` `Interacts with the certificate store: CertOpenStore`
Suspicious	VirusTotal score: 2/72 (Scanned on 2024-03-18 13:55:23)	`DeepInstinct: MALICIOUS` `MaxSecure: Trojan.Malware.209277537.susgen`

Hashes

MD5	`bd901c4c4423d0074fc03121ce2858c5`
SHA1	`1a0f5275a19a5745740835dc96bf9c072d840d3e`
SHA256	`f7021f8cfd53b51ddb560f368283748e51e1d86e84e5cab6df124514d52ef64c`
SHA3	`c94778d87639b2f63517ff3791011a2e5a0e9c7d95e0b8ad452d02dcdc927758`
SSDeep	`768:HZp+5l9sw/dTB4pl+oPPaxEgQHg5Viet70rGM:+7syekoPPa67b`
Imports Hash	`c979529addab4876a072902ce33d112c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`11`
TimeDateStamp	2023-May-30 19:52:07
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x5c00`
SizeOfInitializedData	`0xa600`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x000013B0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x67980000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x13000`
SizeOfHeaders	`0x600`
Checksum	`0x37828`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`fc9b69b7c44c866ebe0e32014e17fd0c`
SHA1	`daf1ac81f0b7fab274451ed4d43253bdbf08599a`
SHA256	`efe886dddce061ae934c41d1999ce1ecb2ca06a0f3704896aea1350da4a7c066`
SHA3	`88bb38f30d4696f84cfcee05f7cd5f551ca1d2083f7c5a302aaba369519b29f9`
VirtualSize	`0x5b74`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.91969`

.data

MD5	`0e4f9c4eba802ea860a91b3ac3bc9c07`
SHA1	`67fb0586d74df8c7cb806f739d6b690672817eec`
SHA256	`f4dcdedc4785d97e5433239e76a05a39bb83c4322986212cf2c4f7507dfb31a5`
SHA3	`a32a421a07c97e2d69f6868bfe03c63fc620d2d563c4d4ddeaa9653004f196a5`
VirtualSize	`0x220`
VirtualAddress	`0x7000`
SizeOfRawData	`0x400`
PointerToRawData	`0x6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.39203`

.rdata

MD5	`67634de9f56750c9dddd4ea8fcb16f07`
SHA1	`23c4b2084d146032933dc78ca7ae5339657aec2d`
SHA256	`308f054dc6dc747fd22cb107fbed318d38fd87643037a6c5b81d141e05f15e5d`
SHA3	`1128b27ecfd29da5c609d445813b695ba8242bb006880fd1dd81e20a31e6bf15`
VirtualSize	`0x1298`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.07795`

/4

MD5	`97475710a7297610d164c67833e66a3b`
SHA1	`a413882d6dd5eb3f5833a00d365469821232e007`
SHA256	`30429f6ad668c4c09dd7e5880f0392749f28063133681a1a5ac645bed376eb9f`
SHA3	`8ecccc46d35d8d510f1e429c2f77d15c5281eab217c1e3576328912e37b98541`
VirtualSize	`0xfa0`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.95889`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xa0`
VirtualAddress	`0xb000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.edata

MD5	`c9ae080ce112d213c2f0dfcd927cbf63`
SHA1	`174d64a6f59f0b7df4e2551682bba2c1dcc3c8bb`
SHA256	`837edb86742ed2f5ee53c79e4145fa56c23669b44bf34e853dc7f442f891b4da`
SHA3	`8e5d79a2ad1694fc7929654ffc128c9917934d2b4766d5550647b2cdba6cb0b8`
VirtualSize	`0xa3`
VirtualAddress	`0xc000`
SizeOfRawData	`0x200`
PointerToRawData	`0x8a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.74909`

.idata

MD5	`837a0118c65cc823e176a11f7fb6ae79`
SHA1	`f3138fe2aa88dea0eecb52c30a62c0d7c98f8419`
SHA256	`0e0841f9f49f0dd9847ead2c78cabdc38e3b220d29ded5b62cef710557b5bfaf`
SHA3	`25d7a20f6c11c5df7f442f7339fcd6dc88ec4f2c91e2b9b9122aa28613b1fa62`
VirtualSize	`0x1354`
VirtualAddress	`0xd000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x8c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.05754`

.CRT

MD5	`41ca1321d79e0edc33edd9a54bf0f9e3`
SHA1	`deb8e438b73cdb3ffbabbb0faab487540ebb3c0d`
SHA256	`011d3a5b53d3646bf69c0a1c35801fa54dcedcb24cd7c4e69d7c5f4e04661bb5`
SHA3	`60bfbee38beedd1504c3d05a8b03cd7ad565e878d500571c57585772df3fc5da`
VirtualSize	`0x2c`
VirtualAddress	`0xf000`
SizeOfRawData	`0x200`
PointerToRawData	`0xa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.205446`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x200`
PointerToRawData	`0xa200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`6cf41971e386fba98f30f222174a8dbe`
SHA1	`dde6312caed1db31974ea4a19abf3a18cc1826c9`
SHA256	`6a8e687ce32dedb2328d1f454fe3d18121ba5adcb52296b3261b1d773f112a59`
SHA3	`ec77423cf428a1b50f2f43ff6778b726d2c5448b37e8c3215b4d66ac03efd303`
VirtualSize	`0x734`
VirtualAddress	`0x11000`
SizeOfRawData	`0x800`
PointerToRawData	`0xa400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.36205`

.debug

MD5	`ccd0e88ca8e6d22a5a8bca94f4767985`
SHA1	`8e86bc2fc4423b2b008e22703b6d1173abb2c508`
SHA256	`fd5104c47a89be753d442d95c4079a576c5814cfdb6a347c2a7a43e6cf68fcbe`
SHA3	`b3f81aaf80676cd47b14f31ed3e9efa00bddf92dddf0ebdfa1ae83bc25a742dc`
VirtualSize	`0x200`
VirtualAddress	`0x12000`
SizeOfRawData	`0x9c`
PointerToRawData	`0xac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.83129`

Imports

libcrypto-1_1.dll	`BIO_free` `BIO_new_file` `BIO_new_fp` `BIO_printf` `BIO_snprintf` `BIO_vprintf` `BN_bin2bn` `BN_free` `BN_new` `BN_set_word` `CRYPTO_free` `CRYPTO_get_ex_new_index` `CRYPTO_malloc` `CRYPTO_set_mem_functions` `CRYPTO_strdup` `CRYPTO_zalloc` `DSA_OpenSSL` `DSA_SIG_new` `DSA_SIG_set0` `DSA_free` `DSA_get0_engine` `DSA_get_ex_data` `DSA_meth_free` `DSA_meth_get_bn_mod_exp` `DSA_meth_get_mod_exp` `DSA_meth_get_verify` `DSA_meth_new` `DSA_meth_set_bn_mod_exp` `DSA_meth_set_finish` `DSA_meth_set_mod_exp` `DSA_meth_set_sign` `DSA_meth_set_verify` `DSA_new_method` `DSA_set0_key` `DSA_set0_pqg` `DSA_set_ex_data` `ENGINE_get_ex_data` `ENGINE_get_static_state` `ENGINE_set_DSA` `ENGINE_set_RSA` `ENGINE_set_cmd_defns` `ENGINE_set_ctrl_function` `ENGINE_set_destroy_function` `ENGINE_set_ex_data` `ENGINE_set_finish_function` `ENGINE_set_flags` `ENGINE_set_id` `ENGINE_set_init_function` `ENGINE_set_load_privkey_function` `ENGINE_set_load_ssl_client_cert_function` `ENGINE_set_name` `ERR_add_error_data` `ERR_get_next_error_library` `ERR_load_strings` `ERR_put_error` `ERR_unload_strings` `EVP_PKEY_assign` `EVP_PKEY_new` `OPENSSL_cleanse` `OPENSSL_init_crypto` `OPENSSL_sk_free` `OPENSSL_sk_new_null` `OPENSSL_sk_num` `OPENSSL_sk_push` `OPENSSL_sk_value` `PEM_write_bio_X509` `RSA_PKCS1_OpenSSL` `RSA_free` `RSA_get0_engine` `RSA_get_ex_data` `RSA_meth_free` `RSA_meth_get_bn_mod_exp` `RSA_meth_get_mod_exp` `RSA_meth_get_pub_dec` `RSA_meth_get_pub_enc` `RSA_meth_new` `RSA_meth_set_bn_mod_exp` `RSA_meth_set_finish` `RSA_meth_set_mod_exp` `RSA_meth_set_priv_dec` `RSA_meth_set_priv_enc` `RSA_meth_set_pub_dec` `RSA_meth_set_pub_enc` `RSA_meth_set_sign` `RSA_new_method` `RSA_set0_key` `RSA_set_ex_data` `RSA_size` `X509_NAME_cmp` `X509_NAME_print_ex` `X509_check_purpose` `X509_free` `X509_get_ex_data` `X509_get_issuer_name` `X509_get_subject_name` `X509_print_ex` `X509_set_ex_data` `d2i_X509`
ADVAPI32.dll	`CryptAcquireContextW` `CryptCreateHash` `CryptDecrypt` `CryptDestroyHash` `CryptDestroyKey` `CryptEnumProvidersW` `CryptExportKey` `CryptGetProvParam` `CryptGetUserKey` `CryptReleaseContext` `CryptSetHashParam` `CryptSignHashW`
CRYPT32.dll	`CertCloseStore` `CertDuplicateCertificateContext` `CertEnumCertificatesInStore` `CertFindCertificateInStore` `CertFreeCertificateContext` `CertGetCertificateContextProperty` `CertOpenStore`
KERNEL32.dll	`DeleteCriticalSection` `EnterCriticalSection` `FreeLibrary` `GetLastError` `GetModuleHandleA` `GetProcAddress` `InitializeCriticalSection` `LeaveCriticalSection` `LoadLibraryA` `MultiByteToWideChar` `Sleep` `TlsGetValue` `VirtualProtect` `VirtualQuery` `WideCharToMultiByte`
msvcrt.dll	`_amsg_exit` `_initterm` `_iob` `_lock` `_unlock` `abort` `calloc` `free` `fwrite` `memcpy` `realloc` `strcmp` `strlen` `strncmp` `vfprintf` `wcscmp` `wcslen`

Delayed Imports

bind_engine

Ordinal	`1`
Address	`0x4b70`

capi_find_key

Ordinal	`2`
Address	`0x54c0`

capi_free_key

Ordinal	`3`
Address	`0x58a0`

capi_list_certs

Ordinal	`4`
Address	`0x4df0`

v_check

Ordinal	`5`
Address	`0x4b50`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	1970-Jan-01 00:00:00
Version	`0.0`
SizeofData	`128`
AddressOfRawData	`0x12000`
PointerToRawData	`0xac00`
Referenced File	D:\git-sdk-64-full\usr\src\MINGW-packages\mingw-w64-openssl\src\build-i686\engines\capi.pdb

TLS Callbacks

StartAddressOfRawData	`0x67990000`
EndAddressOfRawData	`0x67990004`
AddressOfIndex	`0x6798b058`
AddressOfCallbacks	`0x6798f018`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x67985D30` `0x67985CE0`

Load Configuration

RICH Header

Errors

[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Section .bss has a size of 0!