Manalyze report for c1a4cc37b516632fbeccfd41b41becad

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2025-Jun-04 01:24:26
TLS Callbacks	2 callback(s) detected.
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: github.com https://github.com`
Suspicious	The PE is possibly packed.	`Unusual section name found: .buildid` `Unusual section name found: /4` `Unusual section name found: /18` `Unusual section name found: /33` `Unusual section name found: /45` `Unusual section name found: /57` `Unusual section name found: /68` `Unusual section name found: /82`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: SwitchToThread` `Possibly launches other programs: CreateProcessA system ShellExecuteA ShellExecuteW`
Suspicious	The file contains overlay data.	`393216 bytes of data starting at offset 0x10f400.`
Malicious	VirusTotal score: 3/72 (Scanned on 2026-02-04 13:15:59)	`Bkav: W64.AIDetectMalware` `Google: Detected` `Ikarus: Trojan-Downloader.Win64.Agent`

Hashes

MD5	`c1a4cc37b516632fbeccfd41b41becad`
SHA1	`cfd8824852775fd88079c2169e59361b47a056c2`
SHA256	`08396a4fc45f08edda6fa92d4a0b69ea5de65cbddfb67a43b25da77913e73ade`
SHA3	`334e0d1f618c6b79d76ff901477b8e85e8f8ed3ddead20d7515d1c0a7faa84f9`
SSDeep	`24576:b9UfNiiLmKpxO1ykdNyS/cv+4w7IwHZc/kbl14RTitCOhCBJXc:uN/LxpxO1ygk2cmFIwHZc/kbl14RQ`
Imports Hash	`fc55f1c87618a17158253d7220839f92`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`14`
TimeDateStamp	2025-Jun-04 01:24:26
PointerToSymbolTable	`0x10f400`
NumberOfSymbols	`6127`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xb0800`
SizeOfInitializedData	`0x5e800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000013A0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x11b000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d041ce4be794eb8fd5c8521ab4806b8e`
SHA1	`5c9d5a26608264eb6d578f847a0aecb9a6d4f113`
SHA256	`cb00c4d40d9dc364561840c8f4c51dd39b74806457ecaccb989fe7690aa0adbc`
SHA3	`3ab2396182f427cdc03690c520f1800a011d41c980f28ffecb565e4be8263aa8`
VirtualSize	`0xb06a6`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb0800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.23165`

.rdata

MD5	`1b66cb63b26a9d49927f113948aa2c5b`
SHA1	`dd1e238e1c94b125b2d79f0a4f7c7aa087788ab7`
SHA256	`3d017535029abe7042205b2c55f5c5b15c2a25a013462c5bb6574c8dc6522c64`
SHA3	`29357f22a6cb1c633d4ff557340d008eb113e8e4031066399f8103f38691cf22`
VirtualSize	`0x2ce6c`
VirtualAddress	`0xb2000`
SizeOfRawData	`0x2d000`
PointerToRawData	`0xb0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.81068`

.buildid

MD5	`72a16bda51204ef14715d15e755c8598`
SHA1	`64e08f36c519bda2fad5728a33add1525a2f847e`
SHA256	`b664a19c13d983b52bb45608ef96aea3af8da28fe087eed00918557b39aed89b`
SHA3	`65dc00537e811d8ffa430b0a5d0be653bda738b5f9e8a6803f47bb650664e1eb`
VirtualSize	`0x35`
VirtualAddress	`0xdf000`
SizeOfRawData	`0x200`
PointerToRawData	`0xddc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.624878`

.data

MD5	`9a3cb96bf8559c7a96e35e19d535511e`
SHA1	`942d3f30d07c0d9d69c3d7f0879144ffbf3c7bc1`
SHA256	`a5abf6e4286e62af364aee073755044c3920af6bddcf29fc0a62fdbbe5733152`
SHA3	`a5dad1a68bfb83fc6abfcaa0ebb026d9e30b6f60c95bfc784304865cf1659619`
VirtualSize	`0x3578`
VirtualAddress	`0xe0000`
SizeOfRawData	`0x600`
PointerToRawData	`0xdde00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.25266`

.pdata

MD5	`35941a9373133de5a2cdf2acfd00be10`
SHA1	`bf2b11c95229ffc37f6574eeed562239cdd85f13`
SHA256	`5df649cdfda09160890e362227557c61d43d0540f38e45206db5f911d2b08423`
SHA3	`27dbbcf56e76a0baeae90041a0603bf5d5ffe07975d39d75b30fca331bf3b505`
VirtualSize	`0x681c`
VirtualAddress	`0xe4000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0xde400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.93227`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x20`
VirtualAddress	`0xeb000`
SizeOfRawData	`0x200`
PointerToRawData	`0xe4e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`149c40b7d725805a49d4cfce3627a439`
SHA1	`d0a39334752b97c27ec5219710b01f73afe25bf8`
SHA256	`ccf85599584133711fbad4bce1468e852c2b2ead41da91f7dfdaf3ccc8239f3e`
SHA3	`f5a2ceb0beb7a4110d94f4e3228132a0e260ce89716e12ea5a14de4b88e79d39`
VirtualSize	`0x1c40`
VirtualAddress	`0xec000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0xe5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.37505`

/4

MD5	`685c357b049ce2263ff02ed4c903c832`
SHA1	`3a11cf667f4a91f99a704ab4ea07f372d2d1f494`
SHA256	`f3170e15547040ed6cb02392b7b96d13c9f623d64ee9422024446bb1d72aef89`
SHA3	`b4f42c226d483fef1fe650d96835a8b8f584f0d328e09a3bd37648b5d7987d9e`
VirtualSize	`0x31d9`
VirtualAddress	`0xee000`
SizeOfRawData	`0x3200`
PointerToRawData	`0xe6e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.6907`

/18

MD5	`005d7f007147d015df2a2acfa7de0942`
SHA1	`c5653b5379d1d2b0ce3660dbfa68a981c17a01e3`
SHA256	`abfa2b6767bbe55230a9f0ec8fa1bf86ea6ea73762a4c9e9ce0f6706f5a37eab`
SHA3	`ed70f9ef790eb7ffe662a91fa58333c787ddeab7dd2a6f8dd8fe479d29ce56ea`
VirtualSize	`0x30`
VirtualAddress	`0xf2000`
SizeOfRawData	`0x200`
PointerToRawData	`0xea000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.216207`

/33

MD5	`972d57abb9d0854b254b96fbec62fdbb`
SHA1	`9e15b6d13cf14d3edc8742d3325298217b3b4cc7`
SHA256	`faa8468f338293f5d5c79703c768053396a9a59d719343f5a4d182a057463e40`
SHA3	`3c860987dec3466344aab4fb74a1e5b0857818b27a2ecfd42d16c7125ade095b`
VirtualSize	`0xa5e1`
VirtualAddress	`0xf3000`
SizeOfRawData	`0xa600`
PointerToRawData	`0xea200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.18555`

/45

MD5	`4bb369005f350edfa62679daac7baf9d`
SHA1	`1246174ce03983dee3a54d9d04303b2ac89c42f9`
SHA256	`f9ac33698361b32f0db8028a7ef948233c90c313db1a995e98e336b34a9f92a4`
SHA3	`974e0facca52959ca9bd665a234910351de769552c20260d9f3e49a44e540d4f`
VirtualSize	`0x6841`
VirtualAddress	`0xfe000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0xf4800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.90501`

/57

MD5	`5c8e2eb8e9cf9ed41dc4fdcdbd223baa`
SHA1	`25df35d007723c0f173c4381ed1326c40ae3e4c4`
SHA256	`88e9bf527f4fb79be6654a25bdcbc8c195b9b4083e4260ff07140baad4a71b3b`
SHA3	`0f10090826f68b302cc2d7a6b89219f857a4cfaf55a10531d82c8a2e81ebeeb7`
VirtualSize	`0xc798`
VirtualAddress	`0x105000`
SizeOfRawData	`0xc800`
PointerToRawData	`0xfb200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.5781`

/68

MD5	`fa8efb78a960ecccc7914b1086a390b7`
SHA1	`53e8fe60c92185509689499eaa3c693462d08492`
SHA256	`34baf16099bbf472deb2bbbc5c005ec3791c63a056bc153e0ec35b6c336ddbb0`
SHA3	`a22bc5d6da76c30408397224b49c4833df285df7e0fb57cf4dde055ddee41369`
VirtualSize	`0x560`
VirtualAddress	`0x112000`
SizeOfRawData	`0x600`
PointerToRawData	`0x107a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.4102`

/82

MD5	`f5e0016b7120b219808afc3d308642db`
SHA1	`2d6a53318512242c02d504af1dfc0334998da645`
SHA256	`cadb9541daefc4cc0f2e3318a60f97aefc27933684c1b49007dc2a5533381ea9`
SHA3	`d76c9f3932d6003f54803a8887c21494ddc2cbead847943b41346ccba7132e7c`
VirtualSize	`0x73ff`
VirtualAddress	`0x113000`
SizeOfRawData	`0x7400`
PointerToRawData	`0x108000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.36927`

Imports

KERNEL32.dll	`AcquireSRWLockExclusive` `CloseHandle` `CreateDirectoryA` `CreateDirectoryW` `CreateProcessA` `DeleteCriticalSection` `EnterCriticalSection` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FormatMessageA` `GetConsoleScreenBufferInfo` `GetCurrentThreadId` `GetFileAttributesA` `GetFileAttributesW` `GetLastError` `GetLocalTime` `GetModuleFileNameA` `GetModuleFileNameW` `GetModuleHandleW` `GetProcAddress` `GetStdHandle` `GetSystemTimeAsFileTime` `GetThreadId` `InitOnceExecuteOnce` `InitializeCriticalSection` `LeaveCriticalSection` `LocalFree` `MultiByteToWideChar` `QueryPerformanceCounter` `QueryPerformanceFrequency` `RaiseException` `ReleaseSRWLockExclusive` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlRestoreContext` `RtlUnwindEx` `RtlVirtualUnwind` `SetConsoleTextAttribute` `SetUnhandledExceptionFilter` `Sleep` `SleepConditionVariableSRW` `SwitchToThread` `TlsGetValue` `TryAcquireSRWLockExclusive` `TryEnterCriticalSection` `VirtualProtect` `VirtualQuery` `WaitForSingleObjectEx` `WakeAllConditionVariable` `WakeConditionVariable` `WideCharToMultiByte` `__C_specific_handler`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func` `__p__commode` `__p__fmode` `__stdio_common_vfprintf` `__stdio_common_vsprintf` `__stdio_common_vsscanf` `__stdio_common_vswprintf` `_fseeki64` `_ftelli64` `_wfopen` `fclose` `fflush` `fgetwc` `fopen` `fputc` `fputs` `fputwc` `fread` `fseek` `fwrite` `getc` `setbuf` `ungetc` `ungetwc`
api-ms-win-crt-runtime-l1-1-0.dll	`__p___argc` `__p___argv` `__sys_nerr` `_assert` `_beginthreadex` `_cexit` `_configure_narrow_argv` `_crt_atexit` `_errno` `_exit` `_initialize_narrow_environment` `_initterm` `_initterm_e` `_set_app_type` `_set_invalid_parameter_handler` `abort` `exit` `signal` `strerror_s` `system`
api-ms-win-crt-locale-l1-1-0.dll	`___lc_codepage_func` `___mb_cur_max_func` `__pctype_func` `_configthreadlocale` `_create_locale` `_free_locale` `localeconv` `setlocale`
api-ms-win-crt-time-l1-1-0.dll	`_strftime_l` `_time64`
api-ms-win-crt-heap-l1-1-0.dll	`_aligned_free` `_aligned_malloc` `_set_new_mode` `calloc` `free` `malloc` `realloc`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `ceil`
api-ms-win-crt-private-l1-1-0.dll	`memchr` `memcmp` `memcpy` `memmove`
api-ms-win-crt-string-l1-1-0.dll	`_isctype_l` `_iswalpha_l` `_iswcntrl_l` `_iswdigit_l` `_iswlower_l` `_iswprint_l` `_iswpunct_l` `_iswspace_l` `_iswupper_l` `_iswxdigit_l` `_strcoll_l` `_strdup` `_strxfrm_l` `_tolower_l` `_toupper_l` `_towlower_l` `_towupper_l` `_wcscoll_l` `_wcsxfrm_l` `mbrlen` `memset` `strcmp` `strlen` `strncmp` `tolower` `toupper` `wcslen`
api-ms-win-crt-utility-l1-1-0.dll	`rand` `srand`
SHELL32.dll	`ShellExecuteA` `ShellExecuteW`
api-ms-win-crt-convert-l1-1-0.dll	`_strtod_l` `_strtoi64_l` `_strtoui64_l` `btowc` `mbrtowc` `mbsrtowcs` `strtod` `strtof` `strtol` `strtoll` `strtoul` `strtoull` `wcrtomb` `wcrtomb_s` `wcstod` `wcstol` `wcstoll` `wcstoul` `wcstoull` `wctob`
api-ms-win-crt-multibyte-l1-1-0.dll	`_mbtowc_l`
api-ms-win-crt-environment-l1-1-0.dll	`__p__environ` `getenv`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2025-Jun-04 01:24:26
Version	`0.0`
SizeofData	`25`
AddressOfRawData	`0xdf01c`
PointerToRawData	`0xddc1c`

TLS Callbacks

StartAddressOfRawData	`0x1400eb000`
EndAddressOfRawData	`0x1400eb018`
AddressOfIndex	`0x1400e1000`
AddressOfCallbacks	`0x1400c64d0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x0000000140085730` `0x00000001400857B0`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0`

RICH Header

Errors

[*] Warning: Tried to read outside the COFF string table to get the name of section /4!
[*] Warning: Tried to read outside the COFF string table to get the name of section /18!
[*] Warning: Tried to read outside the COFF string table to get the name of section /33!
[*] Warning: Tried to read outside the COFF string table to get the name of section /45!
[*] Warning: Tried to read outside the COFF string table to get the name of section /57!
[*] Warning: Tried to read outside the COFF string table to get the name of section /68!
[*] Warning: Tried to read outside the COFF string table to get the name of section /82!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!